‘No indication that this vulnerability is being exploited in the wild’

Umbraco flags pending security patch for RCE vulnerability in forms package

UPDATE (July 20, 14.03 UTC) The security update for Umbraco Forms has now been released. Umbraco has also disclosed that the vulnerability only applies to forms containing upload fields, and therefore recommends prioritizing patching sites with forms that use them. It has also discovered that Contour, the predecessor to Umbraco Forms, is vulnerable to RCE but not arbitrary file deletion via the vulnerability, and has therefore released a patch on the otherwise unsupported package.

Umbraco, a content management system (CMS) vendor, has given users of its form-building package a “heads-up” about an imminent software update addressing a remote code execution (RCE) vulnerability.

Discovered by AppCheck security researcher Gary O’Leary-Steele, the flaw in Umbraco Forms could also be exploited to delete arbitrary files, according to a security advisory published on July 15.

All current versions of Umbraco Forms v4.0.0 and up are affected by the vulnerability.

Catch up on the latest open source software security news

The software developer has urged users to update their systems as soon as possible, once the update lands tomorrow (July 20) at 07:00 UTC.

“Because we are looking at a patch upgrade, we expect the fix to be rather straightforward and to only require minimal time per project,” said the Danish vendor.

Cloud users don’t need to take any action since Umbraco Cloud sites will upgrade automatically tomorrow between 07:00 and 21:00 UTC.

“Currently, we have no indication that this vulnerability is being exploited in the wild,” Umbraco added.


Umbraco is an open source ASP.NET-based CMS in use by more than 731,000 websites worldwide, according to the vendor.

Umbraco Forms, which is available for $219 per domain but is free for cloud users, is used to build responsive web forms with a choice of input types and reporting functionality.

YOU MIGHT ALSO LIKE Google to bolster Chrome privacy protections with HTTPS-First Mode

“If you’re using Umbraco Forms versions 8, 7 and 6 you will be able to upgrade to a new patch[ed] version of your current minor version, no matter what minor version you are using now,” said Umbarco.

Sites running Umbraco Forms version 4 will need to upgrade to the latest version, 4.4.8.

Umbarco recommended that users running a significantly older version than 4.4.7 upgrade to that version in advance of the release “to make sure everything still works and that the final upgrade to 4.4.8 is as easy as possible”.

Umbraco thanked O’Leary-Steele and AppCheck, a UK-based vulnerability scanning platform, for their help with remediation and “the speed with which they have responded to questions and their help in planning the timeline for rollout and communication”.

On Twitter, O’Leary-Steele in turn commended Umbarco “for working to resolve a reported security flaw from report to fix within days”, and their “constant coms from first report until fix”.

The researcher also said that AppCheck would be publishing technical analysis of the vulnerability in four weeks’ time in order to give users time to apply the updates.

Umbraco declined to comment further in response to a query from The Daily Swig.

RELATED RCE vulnerability in Cloudflare CDN could have allowed complete compromise of websites