Kentico Xperience
33 CVEs affecting Kentico Xperience. Latest disclosed: 2025-12-18. Critical: 2, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-2747 | Critical | 9.8 | 2025-03-24 | An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server… |
CVE-2025-2746 | Critical | 9.8 | 2025-03-24 | An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames… |
CVE-2021-47711 | High | 8.8 | 2025-12-18 | A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters. T… |
CVE-2019-25229 | High | 8.8 | 2025-12-18 | An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC f… |
CVE-2023-53934 | High | 7.5 | 2025-12-18 | A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the GetResource handler. Improp… |
CVE-2022-50686 | High | 7.5 | 2025-12-18 | An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form control error messag… |
CVE-2021-47712 | High | 7.5 | 2025-12-18 | A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing mechanisms. The hotfix in… |
CVE-2020-36890 | High | 7.2 | 2025-12-18 | An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Att… |
CVE-2025-32370 | High | 7.2 | 2025-04-06 | Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed… |
CVE-2025-2749 | High | 7.2 | 2025-03-24 | An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations… |
CVE-2022-50682 | Medium | 6.5 | 2025-12-18 | A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This… |
CVE-2025-32369 | Medium | 6.4 | 2025-04-06 | Kentico Xperience before 13.0.181 allows authenticated users to distribute malicious content (for stored XSS) via certain interactions with the media library f… |
CVE-2024-58319 | Medium | 6.1 | 2025-12-18 | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration d… |
CVE-2024-58318 | Medium | 6.1 | 2025-12-18 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and f… |
CVE-2022-50684 | Medium | 6.1 | 2025-12-18 | An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Un… |
CVE-2022-50681 | Medium | 6.1 | 2025-12-18 | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich te… |
CVE-2025-2748 | Medium | 6.1 | 2025-03-24 | The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This… |
CVE-2024-58323 | Medium | 5.4 | 2025-12-18 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows mali… |
CVE-2024-58322 | Medium | 5.4 | 2025-12-18 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead… |
CVE-2024-58321 | Medium | 5.4 | 2025-12-18 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers… |