EXECUTIVE SUMMARY:
A vulnerability exists in CVE-2026-24687 Umbraco Forms affecting multiple versions running on Linux and macOS systems that can be exploited by authenticated backoffice users to traverse arbitrary filesystem paths and enumerate file contents, potentially leading to unauthorized disclosure of sensitive data and information leakage in environments using the Umbraco CMS Forms component; successful exploitation does not require user interaction beyond authentication, and although workarounds like filtering path traversal sequences at the web application firewall or restricting access to the export endpoint can reduce risk, upgrading to patched versions is strongly recommended to mitigate the issue and prevent exploitation within enterprise and web-facing applications. The vulnerability has a CVSS score of 6.0.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: