Vulnerability in Sitecore Experience Commerce (Xc)

CVE-2025-34139

A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experien…

EPSS: 0.004 (63.6th percentile) — read the EPSS interpretation.

Affected products

Sitecore Experience Commerce (Xc) — versions 8.0 Initial Release
Sitecore Experience Manager (Xm) — versions 8.0 Initial Release
Sitecore Experience Platform (Xp) — versions 8.0 Initial Release
Sitecore Managed Cloud — versions 8.0 Initial Release

Weakness classification (CWE)

CWE-522 — Insufficiently Protected Credentials

References

support.sitecore.com/kb (vendor-advisory, patch)
support.sitecore.com/kb (vendor-advisory, patch)
www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read (third-party-advisory)