Sitecore
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Sitecore product.
RSS Feeds for Sitecore security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Sitecore products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Sitecore Sorted by Most Security Vulnerabilities since 2018
Known Exploited Sitecore Vulnerabilities
The following Sitecore vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability |
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. CVE-2025-53690 Exploit Probability: 8.9% |
September 4, 2025 |
| Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability |
Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. CVE-2019-9875 Exploit Probability: 24.4% |
March 26, 2025 |
| Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability |
Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. CVE-2019-9874 Exploit Probability: 79.7% |
March 26, 2025 |
| Sitecore XP Remote Command Execution Vulnerability |
Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution. CVE-2021-42237 Exploit Probability: 94.4% |
March 25, 2022 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2019-9875: Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 0 vulnerabilities in Sitecore. Last year, in 2025 Sitecore had 10 security vulnerabilities published. Right now, Sitecore is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 10 | 8.24 |
| 2024 | 1 | 7.50 |
| 2023 | 8 | 8.24 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 9.30 |
| 2020 | 0 | 0.00 |
| 2019 | 6 | 8.38 |
| 2018 | 1 | 0.00 |
It may take a day or so for new Sitecore vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sitecore Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-53692 | Sep 21, 2025 |
Sitecore XM/XP 9.2-10.4 XSS Vulnerability in Page GenerationImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4. |
Experience Manager
Experience Platform
|
| CVE-2025-53690 | Sep 03, 2025 |
Sitecore XM/XP <=9.0 Code Injection via Deserialization of Untrusted DataDeserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0. |
Experience Manager
Experience Platform
|
| CVE-2020-36850 | Jul 25, 2025 |
Info Disclosure in Sitecore JSS React Sample App 11.0.0-14.0.1An information disclosure vulnerability exits in Sitecore JSS React Sample Application 11.0.0 - 14.0.1 that may cause page content intended for one user to be shown to another user. |
Sitecore Net
|
| CVE-2022-4979 | Jul 25, 2025 |
XSS in Sitecore XP 7.5-10.2 & CMS 7.2 via ShellA cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected. |
Experience Platform
Cms
Managed Cloud
And others... |
| CVE-2025-34138 | Jul 25, 2025 |
RCE in Sitecore XP & XM 9.2-10.4 |
Experience Manager
Experience Platform
Experience Commerce
And others... |
| CVE-2015-10142 | Jul 25, 2025 |
Sitecore XP/CMS <8.0 or 7.2 Update-3 - File Download via Crafted URLSitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing. |
Experience Platform
Cms
|
| CVE-2025-34139 | Jul 25, 2025 |
Sitecore XP/CM File Read RCE 8.0-10.4A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. |
Experience Platform
Experience Manager
Experience Commerce
And others... |
| CVE-2025-34511 | Jun 17, 2025 |
Sitecore PowerShell Extensions <=7.0 Unrestricted FileUpload (RCE)Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution. |
Experience Platform
|
| CVE-2025-34510 | Jun 17, 2025 |
Sitecore XM/XP 9.x-10.x ZipSlip Upload File Write ExecSitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution. |
Experience Manager
Experience Platform
Experience Commerce
And others... |
| CVE-2025-34509 | Jun 17, 2025 |
Sitecore XM/XP Hardcoded Admin Account Enables Remote API Access (10.1–10.4)Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP. |
Experience Manager
Experience Platform
|
| CVE-2024-46938 | Sep 15, 2024 |
Unauth read arbitrary files in Sitecore XP/XM/XC 8.0-10.4An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files. |
Experience Commerce
Experience Platform
Experience Manager
And others... |
| CVE-2023-35813 | Jun 17, 2023 |
Remote Code Execution in Sitecore Experience Platform & Commerce 10.3Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3. |
Experience Platform
Managed Cloud
Experience Commerce
And others... |
| CVE-2023-33652 | Jun 06, 2023 |
Authenticated RCE in Sitecore XP 9.3 via /sitecore/shell/Invoke.aspxSitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx. |
Experience Platform
|
| CVE-2023-33651 | Jun 06, 2023 |
Sitecore XP/XM/ XC v9.0-13.0 MVC Device Simulator Auth BypassAn issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules. |
Experience Commerce
Experience Manager
Experience Platform
And others... |
| CVE-2023-33653 | Jun 06, 2023 |
Sitecore XP 9.3 Auth RCE via /Applications/Content Manager Execute.aspxSitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML. |
Experience Platform
|
| CVE-2023-27068 | May 23, 2023 |
Sitecore <=10.2: Untrusted Deserialization RCE via ValidationResult.aspxDeserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. |
Experience Platform
|
| CVE-2023-27067 | May 22, 2023 |
Sitecore XP 10.2 Directory Traversal via download.aspxDirectory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx |
Experience Platform
|
| CVE-2023-27066 | May 22, 2023 |
Sitecore XP 10.2 & Prior: Authenticated Directory Traversal via UrlHandleDirectory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. |
Experience Platform
|
| CVE-2023-26262 | Mar 14, 2023 |
Unrestricted Language File Upload in Sitecore XP/XM 10.3 Remote Code ExecutionAn issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server. |
Experience Manager
Experience Platform
|
| CVE-2021-42237 | Nov 05, 2021 |
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machineSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. |
Experience Platform
|
| CVE-2021-38366 | Aug 12, 2021 |
Sitecore through 10.1, when Update Center is enabledSitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL. |
Sitecore
|
| CVE-2019-11198 | Aug 05, 2019 |
Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlierMultiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. |
Cms
|
| CVE-2019-13493 | Jul 17, 2019 |
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File ManagerIn Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript. |
Experience Platform
|
| CVE-2019-11080 | Jun 06, 2019 |
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object. |
Experience Platform
|
| CVE-2019-9875 | May 31, 2019 |
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. |
Cms
|
| CVE-2019-9874 | May 31, 2019 |
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. |
Cms
Experience Platform
|
| CVE-2019-12440 | May 29, 2019 |
The Sitecore Rocks plugin before 2.1.149 for SitecoreThe Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauthenticated threat actor to inject malicious commands and code via the Sitecore Rocks Hard Rocks Service. |
Rocks
|
| CVE-2018-7669 | Apr 27, 2018 |
An issue was discovered in Sitecore Sitecore.NET 8.1 revAn issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack. |
Sitecore Net
|