Kentico Kentico

  1. Vendors
  2. Kentico

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Kentico product.

RSS Feeds for Kentico security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Kentico products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Kentico Sorted by Most Security Vulnerabilities since 2018

Kentico Xperience35 vulnerabilities

Kentico Cms9 vulnerabilities

Kentico7 vulnerabilities

Known Exploited Kentico Vulnerabilities

The following Kentico vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Kentico Xperience Path Traversal Vulnerability Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
CVE-2025-2749 Exploit Probability: 5.1% 		April 20, 2026
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
CVE-2025-2746 Exploit Probability: 84.3% 		October 20, 2025
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
CVE-2025-2747 Exploit Probability: 89.4% 		October 20, 2025
Kentico Xperience Deserialization of Untrusted Data Vulnerability Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution.
CVE-2019-10068 Exploit Probability: 93.8% 		March 25, 2022

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 1 vulnerability in Kentico. Last year, in 2025 Kentico had 34 security vulnerabilities published. Right now, Kentico is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 1 0.00
2025 34 6.28
2024 0 0.00
2023 0 0.00
2022 3 6.17
2021 2 7.60
2020 1 6.10
2019 5 8.73
2018 5 7.80

It may take a day or so for new Kentico vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Kentico Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-5591 Jan 05, 2026
Kentico Xperience 13 XSS via Form Component Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim users session and perform actions in their security context.
Xperience
CVE-2024-58323 Dec 18, 2025
Stored XSS via Checkbox Form in Kentico Xperience A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder.
Xperience
CVE-2024-58321 Dec 18, 2025
XSS in Kentico Xperience Form Validation Rules A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users' browsers.
Xperience
CVE-2024-58322 Dec 18, 2025
Stored XSS in Kentico Xperience Shipping Options A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers.
Xperience
CVE-2024-58320 Dec 18, 2025
Kentico Xperience Info Disclosure: Public Endpoint Exposes Hostname Config An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details.
Xperience
CVE-2024-58318 Dec 18, 2025
Stored XSS via Rich Text Editor in Kentico Xperience CMS A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. Attackers can exploit this vulnerability by entering malicious URIs, potentially allowing malicious scripts to execute in users' browsers.
Xperience
CVE-2024-58319 Dec 18, 2025
Kentico Xperience XSS via Pages Dashboard Widget Config A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers.
Xperience
CVE-2024-58317 Dec 18, 2025
Kentico Xperience Cookie Config Bypass: SSL Requirement Skip via web.config A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.
Xperience
CVE-2023-53934 Dec 18, 2025
Kentico XP DoS via GetResource Handler Input Validation A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the GetResource handler. Improper input validation enables remote attackers to potentially disrupt service availability through maliciously constructed requests.
Xperience
CVE-2023-53737 Dec 18, 2025
Stored XSS in Kentico Xperience Localization for Admins A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the Localization application. Attackers can execute scripts that could affect multiple parts of the administration interface.
Xperience
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.