Use of Cache Containing Sensitive Information Affecting umbraco.forms package, versions [,13.9.0)[14.0.0-beta001,16.4.0)[17.0.0-rc1,17.1.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-UMBRACOFORMS-15065387
- published23 Jan 2026
- disclosed22 Jan 2026
- creditUnknown
Introduced: 22 Jan 2026
New CVE NOT AVAILABLE CWE-524 (opens in a new tab)How to fix?
Upgrade Umbraco.Forms to version 13.9.0, 16.4.0, 17.1.0 or higher.
Overview
Umbraco.Forms is an a form creator that's as easy to use.
Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to aggressive cache headers being set by default when processing uploads with ImageSharp, which can cause intermediary caches or CDNs to store and serve files that should require authentication. An attacker can gain unauthorized access to sensitive uploaded files by directly requesting cached URLs if a CDN is present, an authenticated user has previously accessed the file, and the attacker knows the form GUID, entry GUID, and image filename.
Workaround
This vulnerability can be mitigated by adding middleware to set restrictive cache headers for form uploads or by configuring the CDN to bypass caching for URLs matching /media/forms/upload/*.