CVE-2025-68924

Name of the Vulnerable Software and Affected Versions UmbracoForms versions through 8.13.16

Description An authenticated attacker can provide a malicious WSDL URL as a data source, potentially leading to remote code execution. The issue affects Umbraco Forms versions running on .NET Framework up to and including version 8. The affected versions are End-of-Life (EOL) and no patches will be released. The vulnerability is related to the Webservice data source type within Umbraco Forms.

Recommendations Versions prior to 9.0: Upgrade to a currently supported version (v13, v16, or v17). Versions prior to 9.0: If upgrading is not immediately feasible and no Forms data sources use the Webservice type, exclude the Webservice data source type by adding the provided code to the application. Versions prior to 9.0: If Webservice data sources are in use, replace them with a custom implementation before excluding the Webservice data source type. Versions prior to 9.0: If a custom implementation is not feasible, revoke 'Manage Data Sources' permissions from non-administrator users. Versions prior to 9.0: Alternatively, inherit from the Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice class and override the ValidateSettings() method to allow only trusted URLs.