CVE-2025-47280: 
C# vulnerability analysis and mitigation

Umbraco Forms, a form builder that integrates with the Umbraco content management system, was found to contain a vulnerability in its 'Send email' workflow functionality. The vulnerability affects all supported versions in the 7.x branch and versions prior to 13.4.2 and 15.1.2. The issue was discovered and disclosed on May 13, 2025 (GitHub Advisory, NVD).

The vulnerability is classified as CWE-116 (Improper Encoding or Escaping of Output). The 'Send email' workflow fails to properly HTML encode user-provided field values in sent email messages. The vulnerability has been assigned a CVSS v4.0 score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U (NVD, Wiz).

When exploited, this vulnerability allows sending messages from a trusted system and address, potentially bypassing spam filters and email client security systems. The impact is primarily related to security control bypass rather than direct system compromise (GitHub Advisory, Wiz).

The vulnerability has been patched in versions 13.4.2 and 15.1.2. For unpatched or unsupported versions, users can implement workarounds by either using the 'Send email with template (Razor)' workflow or creating a custom workflow type. Additionally, the vulnerable SendEmail workflow type can be removed using a specific composer available in the security advisory (GitHub Advisory).