Sitecore Experience Commerce
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Sitecore Experience Commerce.
By the Year
In 2026 there have been 0 vulnerabilities in Sitecore Experience Commerce. Last year, in 2025 Experience Commerce had 3 security vulnerabilities published. Right now, Experience Commerce is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 3 | 8.80 |
| 2024 | 1 | 7.50 |
| 2023 | 2 | 8.65 |
It may take a day or so for new Experience Commerce vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sitecore Experience Commerce Security Vulnerabilities
RCE in Sitecore XP & XM 9.2-10.4
CVE-2025-34138
- July 25, 2025
Sitecore XP/CM File Read RCE 8.0-10.4
CVE-2025-34139
- July 25, 2025
A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
Insufficiently Protected Credentials
Sitecore XM/XP 9.x-10.x ZipSlip Upload File Write Exec
CVE-2025-34510
8.8 - High
- June 17, 2025
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
Relative Path Traversal
Unauth read arbitrary files in Sitecore XP/XM/XC 8.0-10.4
CVE-2024-46938
7.5 - High
- September 15, 2024
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
Remote Code Execution in Sitecore Experience Platform & Commerce 10.3
CVE-2023-35813
9.8 - Critical
- June 17, 2023
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Sitecore XP/XM/ XC v9.0-13.0 MVC Device Simulator Auth Bypass
CVE-2023-33651
7.5 - High
- June 06, 2023
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Sitecore Experience Commerce or by Sitecore? Click the Watch button to subscribe.
