How severe is CVE-2025-47280?

This vulnerability has a severity rating of LOW with a CVSS score of 6.1 out of 10.

What type of vulnerability is CVE-2025-47280?

This is classified as CWE-116, which is a common weakness in software security.

CVE-2025-47280 - LOW Severity | CVSS 6.1

Vulnerability Description

Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.

Related Vulnerabilities

CVE-2017-18892

MEDIUM

CVSS:6.1(Medium)

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.

CWE-1162017

CVE-2021-21684

MEDIUM

CVSS:6.1(Medium)

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scriptin...

CWE-1162021

CVE-2021-34630

MEDIUM

CVSS:6.1(Medium)

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this us...

CWE-1162021

CVE-2021-41132

MEDIUM

CVSS:6.1(Medium)

OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of saniti...

CWE-1162021

CVE-2021-43106

MEDIUM

CVSS:6.1(Medium)

A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause t...

CWE-1162021

CVE-2022-0220

MEDIUM

CVSS:6.1(Medium)

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/...

CWE-1162022