CVE-2025-47280 is a security vulnerability affecting Umbraco Forms, a form builder integrated with the Umbraco content management system (CMS). The vulnerability exists in the 'Send email' workflow of Umbraco Forms versions starting from 7.x up to versions prior to 13.4.2 and 15.1.2. Specifically, the issue arises because the workflow does not HTML encode user-provided field values when sending email messages. This improper encoding or escaping of output (classified under CWE-116) allows malicious input to be included in emails sent from the trusted system. Because the emails originate from a legitimate and trusted source, they can potentially bypass spam filters and email client security mechanisms, increasing the risk of phishing or social engineering attacks. The vulnerability affects all supported versions of Umbraco Forms within the specified version ranges. The issue is mitigated in versions 13.4.2 and 15.1.2, where proper encoding is applied. For unpatched or unsupported versions, a workaround is to use the 'Send email with template (Razor)' workflow or to implement a custom workflow type that ensures proper encoding. Additionally, to prevent accidental use of the vulnerable workflow, the 'SendEmail' workflow type can be removed using a composer script available from the GitHub Security Advisory. The CVSS 4.0 score is 2.3, indicating a low severity, primarily because exploitation requires user interaction and the impact on confidentiality, integrity, and availability is limited to potential phishing or social engineering vectors rather than direct system compromise. No known exploits are currently reported in the wild.

For European organizations using Umbraco Forms within the affected versions, this vulnerability poses a risk primarily related to email security and trust. Attackers can craft malicious input that, when included in emails sent by the vulnerable workflow, may bypass spam filters and email client protections due to the emails originating from a trusted internal system. This can facilitate phishing campaigns, social engineering attacks, or the delivery of malicious payloads embedded in email content. While the vulnerability does not directly compromise system integrity or availability, the reputational damage and potential data breaches resulting from successful phishing attacks can be significant. Organizations in sectors with high email reliance, such as finance, healthcare, government, and critical infrastructure, may face elevated risks. Furthermore, the vulnerability could be leveraged to target employees or partners, undermining trust in internal communications. Given the widespread use of Umbraco CMS in Europe, especially among small to medium enterprises and public sector websites, the risk is non-negligible. However, the low CVSS score reflects the limited direct technical impact and the requirement for user interaction to exploit the vulnerability.

European organizations should prioritize upgrading Umbraco Forms to versions 13.4.2 or 15.1.2 where the vulnerability is patched. For environments where immediate upgrading is not feasible, organizations should switch to using the 'Send email with template (Razor)' workflow, which properly encodes user input, or develop custom workflows that enforce strict HTML encoding of all user-supplied data before inclusion in emails. Additionally, to prevent accidental use of the vulnerable 'SendEmail' workflow, organizations should apply the composer script provided in the GitHub Security Advisory to remove this workflow type from their Umbraco Forms configuration. Email security teams should also enhance monitoring for suspicious email activity originating from internal systems and consider implementing advanced email filtering solutions that analyze email content beyond sender reputation. User awareness training focusing on phishing recognition remains critical. Finally, organizations should audit existing forms and workflows to identify any that use the vulnerable email sending method and remediate accordingly.