Sitecore Experience Manager

Sitecore XM/XP 9.2-10.4 XSS Vulnerability in Page Generation
CVE-2025-53692 7.1 - High - September 21, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.

XSS

Sitecore XM/XP <=9.0 Code Injection via Deserialization of Untrusted Data
CVE-2025-53690 9 - Critical - September 03, 2025

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Marshaling, Unmarshaling

RCE in Sitecore XP & XM 9.2-10.4
CVE-2025-34138 - July 25, 2025

Sitecore XP/CM File Read RCE 8.0-10.4
CVE-2025-34139 - July 25, 2025

A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.

Insufficiently Protected Credentials

Sitecore XM/XP Hardcoded Admin Account Enables Remote API Access (10.1–10.4)
CVE-2025-34509 7.5 - High - June 17, 2025

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Use of Hard-coded Credentials

Sitecore XM/XP 9.x-10.x ZipSlip Upload File Write Exec
CVE-2025-34510 8.8 - High - June 17, 2025

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Relative Path Traversal

Unauth read arbitrary files in Sitecore XP/XM/XC 8.0-10.4
CVE-2024-46938 7.5 - High - September 15, 2024

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.

Remote Code Execution in Sitecore Experience Platform & Commerce 10.3
CVE-2023-35813 9.8 - Critical - June 17, 2023

Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.

Sitecore XP/XM/ XC v9.0-13.0 MVC Device Simulator Auth Bypass
CVE-2023-33651 7.5 - High - June 06, 2023

An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.

AuthZ

Unrestricted Language File Upload in Sitecore XP/XM 10.3 Remote Code Execution
CVE-2023-26262 7.2 - High - March 14, 2023

An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.

Unrestricted File Upload