Sitecore Experience Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Sitecore Experience Platform.
By the Year
In 2026 there have been 0 vulnerabilities in Sitecore Experience Platform. Last year, in 2025 Experience Platform had 9 security vulnerabilities published. Right now, Experience Platform is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 9 | 8.24 |
| 2024 | 1 | 7.50 |
| 2023 | 8 | 8.24 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 9.80 |
| 2020 | 0 | 0.00 |
| 2019 | 3 | 9.30 |
It may take a day or so for new Experience Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sitecore Experience Platform Security Vulnerabilities
Sitecore XM/XP 9.2-10.4 XSS Vulnerability in Page Generation
CVE-2025-53692
7.1 - High
- September 21, 2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
XSS
Sitecore XM/XP <=9.0 Code Injection via Deserialization of Untrusted Data
CVE-2025-53690
9 - Critical
- September 03, 2025
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Marshaling, Unmarshaling
XSS in Sitecore XP 7.5-10.2 & CMS 7.2 via Shell
CVE-2022-4979
- July 25, 2025
A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected.
XSS
RCE in Sitecore XP & XM 9.2-10.4
CVE-2025-34138
- July 25, 2025
Sitecore XP/CMS <8.0 or 7.2 Update-3 - File Download via Crafted URL
CVE-2015-10142
- July 25, 2025
Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.
Externally Controlled Reference to a Resource in Another Sphere
Sitecore XP/CM File Read RCE 8.0-10.4
CVE-2025-34139
- July 25, 2025
A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
Insufficiently Protected Credentials
Sitecore PowerShell Extensions <=7.0 Unrestricted FileUpload (RCE)
CVE-2025-34511
8.8 - High
- June 17, 2025
Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.
Unrestricted File Upload
Sitecore XM/XP 9.x-10.x ZipSlip Upload File Write Exec
CVE-2025-34510
8.8 - High
- June 17, 2025
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
Relative Path Traversal
Sitecore XM/XP Hardcoded Admin Account Enables Remote API Access (10.1–10.4)
CVE-2025-34509
7.5 - High
- June 17, 2025
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Use of Hard-coded Credentials
Unauth read arbitrary files in Sitecore XP/XM/XC 8.0-10.4
CVE-2024-46938
7.5 - High
- September 15, 2024
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
Remote Code Execution in Sitecore Experience Platform & Commerce 10.3
CVE-2023-35813
9.8 - Critical
- June 17, 2023
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Sitecore XP/XM/ XC v9.0-13.0 MVC Device Simulator Auth Bypass
CVE-2023-33651
7.5 - High
- June 06, 2023
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
AuthZ
Authenticated RCE in Sitecore XP 9.3 via /sitecore/shell/Invoke.aspx
CVE-2023-33652
8.8 - High
- June 06, 2023
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.
Reflection Injection
Sitecore XP 9.3 Auth RCE via /Applications/Content Manager Execute.aspx
CVE-2023-33653
8.8 - High
- June 06, 2023
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
Sitecore <=10.2: Untrusted Deserialization RCE via ValidationResult.aspx
CVE-2023-27068
9.8 - Critical
- May 23, 2023
Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx.
Marshaling, Unmarshaling
Sitecore XP 10.2 Directory Traversal via download.aspx
CVE-2023-27067
7.5 - High
- May 22, 2023
Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx
Directory traversal
Sitecore XP 10.2 & Prior: Authenticated Directory Traversal via UrlHandle
CVE-2023-27066
6.5 - Medium
- May 22, 2023
Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.
Directory traversal
Unrestricted Language File Upload in Sitecore XP/XM 10.3 Remote Code Execution
CVE-2023-26262
7.2 - High
- March 14, 2023
An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.
Unrestricted File Upload
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine
CVE-2021-42237
9.8 - Critical
- November 05, 2021
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
Marshaling, Unmarshaling
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager
CVE-2019-13493
- July 17, 2019
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript.
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863
CVE-2019-11080
8.8 - High
- June 06, 2019
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.
Marshaling, Unmarshaling
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2
CVE-2019-9874
9.8 - Critical
- May 31, 2019
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Marshaling, Unmarshaling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Sitecore Experience Platform or by Sitecore? Click the Watch button to subscribe.
