CVE-2025-68924: UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation

January 13, 2026 (updated January 16, 2026)

Within Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).

References

github.com/advisories/GHSA-vrgw-pc9c-qrrc
github.com/umbraco/Umbraco.Forms.Issues
github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-vrgw-pc9c-qrrc
nvd.nist.gov/vuln/detail/CVE-2025-68924
our.umbraco.com/packages/developer-tools/umbraco-forms
www.nuget.org/packages/UmbracoForms

Code Behaviors & Features

Detect and mitigate CVE-2025-68924 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →