DevNet Hotfixes

Hotfix

Thu, 02 Apr 2026 12:35:44 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'picomatch' updated to v2.3.2 - The hotfix updates the 'picomatch' package used by Page and Form builder client scripts to version '2.3.2'. The updates address security vulnerabilities from previous versions.
Application dashboard - In versions 13.0.197 (Refresh 14) or newer, the welcome tile on the application dashboard could reappear after being dismissed, even though it did not display any new messages.
Continuous integration - A "Could not load file or assembly" error occurred when running the ContinuousIntegration.exe utility. The issue occurred only after installing hotfix 13.0.203.

Hotfix

Thu, 26 Mar 2026 06:31:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'MimeKit' update to v4.15.1 - The hotfix updates the 'MimeKit' NuGet package dependency to version '4.15.1' to address security vulnerabilities from previous versions. As a result of the update, the 'MailKit' NuGet package dependency was also updated to '4.15.1'.

Hotfix

Thu, 19 Feb 2026 09:05:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'HtmlSanitizer' updated to 9.0.892 - The hotfix updates the 'HtmlSanitizer' NuGet package dependency to version '9.0.892'. The update addresses security vulnerabilities from previous versions.

Hotfix

Thu, 12 Feb 2026 12:06:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'axios' updated to 1.13.5 - The hotfix updates the 'axios' package used by Page and Form builder client scripts to version '1.13.5'. The updates address security vulnerabilities from previous versions.
Security (Moderate) - 'lodash' and 'lodash-es' updated to 4.17.23 - The hotfix updates the 'lodash' and 'lodash-es' packages used by Page and Form builder client scripts to version '4.17.23'. The updates address security vulnerabilities from previous versions.
Security (Informative) - 'diff' updated to 4.0.4 - The hotfix updates the 'diff' package used by Page and Form builder client scripts to version '4.0.4'. The updates address security vulnerabilities from previous versions.

Hotfix

Thu, 05 Feb 2026 14:13:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Application dashboard - The Welcome tile on the application dashboard providing the latest news about Xperience by Kentico displayed unresolved resource strings when the data source was unavailable.

Hotfix

Thu, 08 Jan 2026 11:19:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'qs' updated to 6.14.1 - The 'qs' transitive dependency used by 'Page builder' and 'Form builder' client scripts was updated to version 6.14.1, which addresses security vulnerabilities from previous versions.

Hotfix

Thu, 11 Dec 2025 14:01:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Informative) - 'express' updated to 4.22.0 - The 'express' transitive dependency of 'Page builder' and 'Form builder' client scripts was updated to version 4.22.0, which addresses security vulnerabilities from previous versions.
Security (Important) - 'node-forge' updated to 1.3.2 - The 'node-forge' transitive dependency of 'Page builder' and 'Form builder' client scripts was updated to version 1.3.2, which addresses security vulnerabilities from previous versions.

Hotfix

Thu, 04 Dec 2025 13:45:30 GMT

Hotfix 13.0.197 is the Kentico Xperience 13 Refresh 14 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes.

Be sure to check our Hotfix instructions before starting the hotfix process. It might save you some trouble afterwards.

Hotfix

Thu, 20 Nov 2025 11:29:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Images - Image recognition failed when large images were uploaded through rich text editor fields, including those on the Content tab of the Pages application and in Rich text page builder widgets.

Hotfix

Thu, 16 Oct 2025 11:49:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'microsoft.codedom.providers.dotnetcompilerplatform' update to v4.1.0 - The hotfix updates the 'microsoft.codedom.providers.dotnetcompilerplatform' package to version 4.1.0, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 02 Oct 2025 14:01:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Microsoft Azure - The 'Clean Azure storage cache' scheduled task failed to clean the local Azure cache if the paths provided via the 'CMSAzureTempPath' or 'CMSAzureCachePath' keys used the '/' (forward slash) separator.

Hotfix

Thu, 18 Sep 2025 11:29:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'axios' update to v1.12.2 - The hotfix updates the 'axios' third-party dependency used by the Page Builder feature to version 1.12.2, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 11 Sep 2025 10:48:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Pages - Saving a value in the 'Redirect on unpublish' field on a page's Content tab did not work for projects based on Refresh 12 (version 13.0.142), which had their database recreated using the database creation wizard (e.g., when installing the database after the installation process).

Hotfix

Thu, 28 Aug 2025 11:30:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - Last sign-in not tracked for external users - The system did not update the 'Last sign-in' value for users that signed-in to the administration UI via external authentication.

Hotfix

Thu, 31 Jul 2025 12:41:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

WYSIWYG editor - When inserting links into the Rich text editor component for the page and form builder, URLs containing encoded characters (e.g., spaces encoded as `%20`) were encoded again, which could break the URL in some cases.

Hotfix

Sun, 27 Jul 2025 09:00:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Critical) - 'form-data' update to 4.0.4 - The hotfix updates the 'form-data' third-party library to version 4.0.4, which addresses security vulnerabilities in the previous version.
Security (Informative) - 'on-headers' update to 1.1.0 - The hotfix updates the 'on-headers' third-party library to version 1.1.0, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 19 Jun 2025 11:37:04 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Informative) - 'brace-expansion' dependency update - The hotfix updates the 'brace-expansion' library used by Page and Form Builder scripts to version 1.1.12 to address security vulnerabilities.
Performance - Using content tree-based routing generated unnecessary SQL queries when 'URL format for multilingual sites' was set to 'Language prefix'. The database was only queried when a URL was accessed for the first time; all following requests for that same path were resolved using the cache.

Hotfix

Thu, 29 May 2025 08:51:07 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

General - Internal infrastructure updates - Hotfix 13.0.187 contains internal infrastructure updates, and does not directly impact Kentico Xperience projects.

Hotfix

Thu, 15 May 2025 11:01:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Staging - Staging task error messages displayed by the system after hotfixing to 13.0.181 now provide more details about the source of the issue.

Hotfix

Wed, 07 May 2025 11:18:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - AngularJS library update to 1.8.3 - The hotfix updates the AngularJS library used in certain parts of the administration interface to version 1.8.3. This addresses security vulnerabilities in the original 1.5.5 version.

Hotfix

Wed, 30 Apr 2025 12:35:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - http-proxy-middleware update to 2.0.9 - The hotfix updates the http-proxy-middleware used by the administration interface to version 2.0.9, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 24 Apr 2025 10:53:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Staging - The new staging logic introduced as part of the authorization bypass vulnerability fix in hotfix version 13.0.178 did not reflect the 'CMSAcceptAllCertificates' and 'CMSStagingAcceptAllCertificates' configuration keys.

Hotfix

Thu, 10 Apr 2025 10:02:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - MooTools library made obsolete - The hotfix obsoletes the outdated MooTools library bundled with the administration project to improve security, due to potential vulnerabilities. The library, located under ~/CMSScripts/mootools.js, was carried over from previous versions of Kentico Xperience and is not used by any default functionality in Kentico Xperience 13. If your custom code depends on any features from this library, we recommend referencing an external implementation.
Security (Important) - Require.js library update to v2.3.7 - The Require.js library contained a vulnerability with high severity: Prototype pollution. The hotfix addresses this security vulnerability by updating the library to version 2.3.7.

Hotfix

Thu, 03 Apr 2025 14:22:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Critical) - Underscore.js library update to v1.13.7 - The Underscore.js library contained a critical vulnerability: Arbitrary Code Execution. The hotfix addresses this security vulnerability by updating the library to version 1.13.7.
Security (Moderate) - Stored XSS via media library upload - As an authenticated user, it was possible to distribute a malicious payload by abusing media library file upload and following certain specific steps.
Security (Moderate) - Froala editor update to v4.5.0 - The hotfix updates the Froala WYSIWYG editor used in the 'Rich text' page builder widget to version 4.5.0, which addresses security vulnerabilities in the previous version.

Hotfix

Fri, 28 Mar 2025 16:11:05 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - Denial of service using Content staging - It was possible to launch a denial-of-service attack by exploiting the system's Content staging feature. Staging did not need to be enabled, the vulnerability was exploitable under all circumstances. Applying the hotfix results in a functional breaking change in the Content staging feature. See the hotfix instructions in the documentation for details and potential manual steps required after hotfixing your instance.

Hotfix

Thu, 20 Mar 2025 12:13:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - Update of third-party dependencies - The hotfix updates several third-party dependencies of page and form builder scripts to newer versions that address vulnerabilities.
Security (Informative) - Self-XSS in the database installation step - It was possible to perform a Self-Cross Site Scripting attack when progressing through the 'additional database installation' wizard in the administration project.

Hotfix

Thu, 06 Mar 2025 12:50:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - SQL injection in product installer - The product database installer was vulnerable to an SQL injection attack during the installation process. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility) as well as your instance (database installation can be triggered multiple ways).
Security (Moderate) - Stored XSS when uploading files - It was possible to distribute a malicious payload as an unauthenticated user when uploading multiple files to the application. A similar vulnerability could have also been exploited by authenticated users. Applying the hotfix introduces functional changes to the application's file retrieval endpoint for certain types of files. See the hotfix instructions for details.
Security (Critical) - Authorization bypass in content staging - Due to a vulnerability in a third-party library used by the product, the staging authentication mechanism could be bypassed. Only instances with the staging functionality enabled were affected. This vulnerability exploited a different attack vector from the one fixed in hotfix 13.0.173. See the hotfix instructions in the documentation for possible manual steps required after hotfixing your instance. If you don't use staging and want to completely mitigate all possible vulnerabilities, you can limit which external services can access the staging endpoint ‘/CMSPages/Staging/SyncServer.asmx’ by editing the '' node in the config file under '~/CMS/CMSPages/Web.config'. To deny access to all users, set 'authorization' to ''.
Security (Important) - Post-auth remote code execution - Staging media files could lead to Remote Code Execution on the target server.

Hotfix

Thu, 27 Feb 2025 14:17:41 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - Updated Lodash to the latest version - The Lodash JavaScript library used in the administration interface was updated to version 4.17.21 due to security vulnerabilities contained in the previously used version.
Form components - If a form's output code included the '
' HTML tag (for example added via a custom form builder section), an error occurred when attempting to select a file in a form field using the 'File uploader' component.

Hotfix

Thu, 20 Feb 2025 09:29:22 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Event log - During startup, if the application failed to load a referenced assembly whose full file system path was longer than 100 characters, the application raised an unhandled event log-related exception 'Value cannot be longer than 100 characters. (Parameter 'eventCode')' instead of logging the original issue.

Hotfix

Thu, 13 Feb 2025 12:45:48 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Amazon S3 - Accessing resources hosted in Amazon S3 occassionally resulted in unhandled IO exceptions, which could, for example, cause broken links to images and other resources on the live site.

Hotfix

Thu, 06 Feb 2025 14:38:21 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Scheduler - An error occurred when executing certain scheduled tasks (e.g., 'Recalculate time zone') using the external Windows service.