GHSA-VRGW-PC9C-QRRC

Vulnerability from github – Published: 2026-01-13 19:54 – Updated: 2026-01-16 21:54
VLAI?
Summary
UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation
Details

Impact

Within Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).

Patches

The affected Umbraco Forms versions are all End-of-Life (EOL) and not supported anymore, hence no patches will be released. Upgrading to any of the currently supported versions (v13, v16 or v17) is recommended.

Workarounds

If none of the configured Forms data sources uses the Webservice type, it can be safely excluded by adding the following code to the application. This will completely remove the option to select/use this data source within the Backoffice and thereby mitigate the vulnerability.

using Umbraco.Core.Composing;
using Umbraco.Forms.Core.Providers;
using Umbraco.Forms.Core.Providers.DatasourceTypes;

internal sealed class RemoveFormsWebserviceDataSourceTypeComposer : IUserComposer
{
    public void Compose(Composition composition)
        => composition.WithCollectionBuilder<DataSourceCollectionBuilder>().Exclude<Webservice>();
}

Any Webservice data source that is configured and still in use should be replaced with a custom implementation instead, before applying the above code. If this is not feasible, the vulnerability can be minimized by revoking the 'Manage Data Sources' from any non-administrator user and/or inheriting from the default Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice class and overriding the ValidateSettings() method to ensure only trusted URLs can be used.

References

When upgrading to a supported version, please take the Forms version specific upgrade notes into account and check the CMS upgrade documentation. Content and schema can also be migrated straight to the latest version using Deploy export/import with migrations.

Implementation details on data sources are not extensively documented, but they follow the general Forms provider model and inherit from Umbraco.Forms.Core.FormDataSource.

A special thanks to Piotr Bazydlo (@chudyPB) of watchTowr for finding and disclosing this vulnerability

Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoForms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.13.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-829",
      "CWE-915",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T19:54:05Z",
    "nvd_published_at": "2026-01-16T19:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nWithin Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).\n\n### Patches\nThe affected Umbraco Forms versions are all End-of-Life (EOL) and not supported anymore, hence no patches will be released. Upgrading to any of the currently supported versions (v13, v16 or v17) is recommended.\n\n### Workarounds\nIf none of the configured Forms data sources uses the Webservice type, it can be safely excluded by adding the following code to the application. This will completely remove the option to select/use this data source within the Backoffice and thereby mitigate the vulnerability.\n\n```c#\nusing Umbraco.Core.Composing;\nusing Umbraco.Forms.Core.Providers;\nusing Umbraco.Forms.Core.Providers.DatasourceTypes;\n\ninternal sealed class RemoveFormsWebserviceDataSourceTypeComposer : IUserComposer\n{\n    public void Compose(Composition composition)\n        =\u003e composition.WithCollectionBuilder\u003cDataSourceCollectionBuilder\u003e().Exclude\u003cWebservice\u003e();\n}\n```\n\nAny Webservice data source that is configured and still in use should be replaced with a custom implementation instead, before applying the above code. If this is not feasible, the vulnerability can be minimized by revoking the \u0027Manage Data Sources\u0027 from any non-administrator user and/or inheriting from the default `Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice` class and overriding the `ValidateSettings()` method to ensure only trusted URLs can be used.\n\n### References\nWhen upgrading to a supported version, please take the Forms [version specific upgrade notes](https://docs.umbraco.com/umbraco-forms/13.latest/upgrading/version-specific) into account and check the [CMS upgrade documentation](https://docs.umbraco.com/umbraco-cms/13.latest/fundamentals/setup/upgrading). Content and schema can also be migrated straight to the latest version using [Deploy export/import with migrations](https://docs.umbraco.com/umbraco-deploy/13.latest/deployment-workflow/import-export).\n\nImplementation details on data sources are not extensively documented, but they follow the general Forms [provider model](https://docs.umbraco.com/umbraco-forms/13.latest/developer/extending/adding-a-type) and inherit from `Umbraco.Forms.Core.FormDataSource`.\n\nA special thanks to Piotr Bazydlo (@chudyPB) of watchTowr for finding and disclosing this vulnerability",
  "id": "GHSA-vrgw-pc9c-qrrc",
  "modified": "2026-01-16T21:54:55Z",
  "published": "2026-01-13T19:54:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-vrgw-pc9c-qrrc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68924"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vrgw-pc9c-qrrc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
    },
    {
      "type": "WEB",
      "url": "https://our.umbraco.com/packages/developer-tools/umbraco-forms"
    },
    {
      "type": "WEB",
      "url": "https://www.nuget.org/packages/UmbracoForms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.