GHSA-HM5P-82G6-M3XH

Vulnerability from github – Published: 2026-01-30 14:43 – Updated: 2026-01-30 14:43
VLAI?
Summary
Umbraco.Forms has Path Traversal and File Enumeration Vulnerabilities in Linux/Mac
Details

Impact

It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected.

Patches

This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1

Workarounds

If upgrading is not immediately possible, users can mitigate this vulnerability by: * Configuring a WAF or reverse proxy to block requests containing path traversal sequences (../, ..\) in the fileName parameter of the export endpoint * Restricting network access to the Umbraco backoffice to trusted IP ranges * Blocking the /umbraco/forms/api/v1/export endpoint entirely if the export feature is not required

However, upgrading to the patched version is strongly recommended.

References

Credit to Kevin Joensen from Baldur Security for finding this vulnerability

Severity ?
6.0 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "17.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-30T14:43:18Z",
    "nvd_published_at": "2026-01-29T20:16:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt\u0027s possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren\u0027t affected. \n\n### Patches\nThis issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1\n\n### Workarounds\nIf upgrading is not immediately possible, users can mitigate this vulnerability by:\n* Configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\\`) in the `fileName` parameter of the export endpoint\n* Restricting network access to the Umbraco backoffice to trusted IP ranges\n* Blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required\n\nHowever, upgrading to the patched version is strongly recommended.\n\n### References\nCredit to Kevin Joensen from Baldur Security for finding this vulnerability",
  "id": "GHSA-hm5p-82g6-m3xh",
  "modified": "2026-01-30T14:43:18Z",
  "published": "2026-01-30T14:43:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24687"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Umbraco.Forms has Path Traversal and File Enumeration Vulnerabilities in Linux/Mac"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.