GHSA-9v8m-qv22-f268

GitHub Security Advisory

Umbraco Forms's Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length

✓ GitHub Reviewed MODERATE Has CVE

### Impact

Character limits configured by editors for short and long answer fields are validated only client-side, not server-side.

### Patches

Patched in 8.13.16, 10.5.7, 13.2.2, 14.1.2

NuGet Umbraco.Forms

Affected versions: 0 (fixed in 10.5.7)

NuGet UmbracoForms

Affected versions: 0 (fixed in 8.13.16)

NuGet Umbraco.Forms

Affected versions: 11.0.0-rc1 (fixed in 13.2.2)

NuGet Umbraco.Forms

Affected versions: 14.0.0-beta001 (fixed in 14.1.2)

CVE-2025-23041

GHSA ID

GHSA-9v8m-qv22-f268

Published

January 14, 2025 7:41 PM

Last Modified

January 14, 2025 10:00 PM

CVSS Score

5.0 /10

Primary Ecosystem

NuGet

Primary Package

Umbraco.Forms

GitHub Reviewed

✓ Yes

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.