CVE-2026-24687

Name of the Vulnerable Software and Affected Versions Umbraco Forms versions 16 through 17

Description Umbraco Forms, a form builder integrated with the Umbraco content management system, contains a flaw that allows an authenticated backoffice user to list and access files on the system's file system, and read their contents on Mac and Linux Umbraco installations. The issue affects versions 16 and 17. The /umbraco/forms/api/v1/export API endpoint is involved, and the fileName parameter is susceptible to path traversal attacks using sequences like ../ and ... Umbraco Cloud users are not affected as it runs in a Windows environment.

Recommendations Umbraco Forms version 16.4.1 Umbraco Forms version 17.1.1 If upgrading is not immediately possible, configure a WAF or reverse proxy to block requests containing path traversal sequences (../, ..) in the fileName parameter of the ''/umbraco/forms/api/v1/export'' endpoint. Restrict network access to the Umbraco backoffice to trusted IP ranges. Block the ''/umbraco/forms/api/v1/export'' endpoint entirely if the export feature is not required.