DevNet Hotfixes

Hotfix

Thu, 04 Jun 2026 13:17:15 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'axios' updated to v1.16.1 - The hotfix updates the 'axios' package used by Page and Form builder client scripts to version '1.16.1'. The update addresses security vulnerabilities from previous versions.
Security (Critical) - Form builder SQL injection - The Form builder was vulnerable to SQL injection attacks. Exploitation required authenticated access to the administration interface with permissions for editing forms. An authenticated attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to application compromise.

Hotfix

Thu, 28 May 2026 13:14:49 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'js-cookie' updated to v3.0.7, 'qs' updated to v6.15.2 - The hotfix updates the 'js-cookie' package to version '3.0.7' and 'qs' to version '6.15.2' (along with transitive dependencies 'body-parser' to '1.20.5' and 'express' to '4.22.2') used by Page and Form builder client scripts. The update addresses security vulnerabilities from previous versions.

Hotfix

Thu, 21 May 2026 13:38:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Informative) - 'ws' updated to v8.20.1 - The hotfix updates the 'ws' package used by Page and Form builder client scripts to version '8.20.1'. The update addresses security vulnerabilities from previous versions.
Security (Moderate) - 'brace-expansion' updated to v5.0.6 - The hotfix updates the 'brace-expansion' package used by Page and Form builder client scripts to version '5.0.6'. The update addresses security vulnerabilities from previous versions.
Security (Moderate) - 'fast-uri' updated to v3.1.2 - The hotfix updates the 'fast-uri' package used by Page and Form builder client scripts to version '3.1.2'. The update addresses security vulnerabilities from previous versions.

Hotfix

Thu, 07 May 2026 13:26:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'axios' updated to v1.15.2 - The hotfix updates the 'axios' package used by Page and Form builder client scripts to version '1.15.2'. The update addresses security vulnerabilities from previous versions.
Security (Moderate) - 'uuid' updated to v14.0.0 - The hotfix updates the 'uuid' package used by Page and Form builder client scripts to version '14.0.0'. The update addresses security vulnerabilities from previous versions.
Page builder - Parts of the Page Builder interface were not loading, and the feature was reporting various console errors across browsers. This issue occurred only after updating to hotfix 13.0.206.

Hotfix

Thu, 30 Apr 2026 12:23:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'postcss' updated to v8.5.12 - The hotfix updates the 'postcss' package used by Page and Form builder client scripts to version '8.5.12'. The update addresses security vulnerabilities from previous versions.
Security (Moderate) - 'MailKit' updated to v4.16.0 - The hotfix updates the 'MailKit' NuGet package dependency to version '4.16.0' to address security vulnerabilities from previous versions.
Security (Informative) - 'NuGet.Packaging' and 'NuGet.Protocol' updated to v5.11.7 - The hotfix updates the 'NuGet.Packaging' and 'NuGet.Protocol' NuGet package dependencies to version '5.11.7' to address security vulnerabilities from previous versions.

Hotfix

Thu, 16 Apr 2026 12:52:31 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'follow-redirects' updated to v1.16.0 - The hotfix updates the 'follow-redirects' package used by Page and Form builder client scripts to version '1.16.0'. The update addresses security vulnerabilities from previous versions.
Security (Informative) - 'axios' updated to v1.15.0 - The hotfix updates the 'axios' package used by Page and Form builder client scripts to version '1.15.0'. The update addresses security vulnerabilities from previous versions.
Security (Moderate) - reCAPTCHA v2 validation vulnerability - Under certain conditions, reCAPTCHA v2 validation performed by the 'reCAPTCHA' form builder component could fail and incorrectly accept submissions. This could enable spam submissions through forms or increased load on form-based workflows.
Security (Moderate) - 'lodash' and 'lodash-es' updated to v4.18.1 - The hotfix updates the 'lodash' and 'lodash-es' packages used by Page and Form builder client scripts to version '4.18.1'. The updates address security vulnerabilities from previous versions.

Hotfix

Thu, 02 Apr 2026 12:35:44 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'picomatch' updated to v2.3.2 - The hotfix updates the 'picomatch' package used by Page and Form builder client scripts to version '2.3.2'. The updates address security vulnerabilities from previous versions.
Application dashboard - In versions 13.0.197 (Refresh 14) or newer, the welcome tile on the application dashboard could reappear after being dismissed, even though it did not display any new messages.
Continuous integration - A "Could not load file or assembly" error occurred when running the ContinuousIntegration.exe utility. The issue occurred only after installing hotfix 13.0.203. Hotfix 13.0.204 resolves this automatically for new installations only. Existing projects require mandatory manual steps – see the 13.0.203 section of the Hotfix instructions in the documentation.

Hotfix

Thu, 26 Mar 2026 06:31:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'MimeKit' update to v4.15.1 - The hotfix updates the 'MimeKit' NuGet package dependency to version '4.15.1' to address security vulnerabilities from previous versions. As a result of the update, the 'MailKit' NuGet package dependency was also updated to '4.15.1'.

Hotfix

Thu, 19 Feb 2026 09:05:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'HtmlSanitizer' updated to 9.0.892 - The hotfix updates the 'HtmlSanitizer' NuGet package dependency to version '9.0.892'. The update addresses security vulnerabilities from previous versions.

Hotfix

Thu, 12 Feb 2026 12:06:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'axios' updated to 1.13.5 - The hotfix updates the 'axios' package used by Page and Form builder client scripts to version '1.13.5'. The updates address security vulnerabilities from previous versions.
Security (Moderate) - 'lodash' and 'lodash-es' updated to 4.17.23 - The hotfix updates the 'lodash' and 'lodash-es' packages used by Page and Form builder client scripts to version '4.17.23'. The updates address security vulnerabilities from previous versions.
Security (Informative) - 'diff' updated to 4.0.4 - The hotfix updates the 'diff' package used by Page and Form builder client scripts to version '4.0.4'. The updates address security vulnerabilities from previous versions.

Hotfix

Thu, 05 Feb 2026 14:13:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Application dashboard - The Welcome tile on the application dashboard providing the latest news about Xperience by Kentico displayed unresolved resource strings when the data source was unavailable.

Hotfix

Thu, 08 Jan 2026 11:19:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'qs' updated to 6.14.1 - The 'qs' transitive dependency used by 'Page builder' and 'Form builder' client scripts was updated to version 6.14.1, which addresses security vulnerabilities from previous versions.

Hotfix

Thu, 11 Dec 2025 14:01:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Informative) - 'express' updated to 4.22.0 - The 'express' transitive dependency of 'Page builder' and 'Form builder' client scripts was updated to version 4.22.0, which addresses security vulnerabilities from previous versions.
Security (Important) - 'node-forge' updated to 1.3.2 - The 'node-forge' transitive dependency of 'Page builder' and 'Form builder' client scripts was updated to version 1.3.2, which addresses security vulnerabilities from previous versions.

Hotfix

Thu, 04 Dec 2025 13:45:30 GMT

Hotfix 13.0.197 is the Kentico Xperience 13 Refresh 14 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes.

Be sure to check our Hotfix instructions before starting the hotfix process. It might save you some trouble afterwards.

Hotfix

Thu, 20 Nov 2025 11:29:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Images - Image recognition failed when large images were uploaded through rich text editor fields, including those on the Content tab of the Pages application and in Rich text page builder widgets.

Hotfix

Thu, 16 Oct 2025 11:49:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - 'microsoft.codedom.providers.dotnetcompilerplatform' update to v4.1.0 - The hotfix updates the 'microsoft.codedom.providers.dotnetcompilerplatform' package to version 4.1.0, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 02 Oct 2025 14:01:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Microsoft Azure - The 'Clean Azure storage cache' scheduled task failed to clean the local Azure cache if the paths provided via the 'CMSAzureTempPath' or 'CMSAzureCachePath' keys used the '/' (forward slash) separator.

Hotfix

Thu, 18 Sep 2025 11:29:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - 'axios' update to v1.12.2 - The hotfix updates the 'axios' third-party dependency used by the Page Builder feature to version 1.12.2, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 11 Sep 2025 10:48:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Pages - Saving a value in the 'Redirect on unpublish' field on a page's Content tab did not work for projects based on Refresh 12 (version 13.0.142), which had their database recreated using the database creation wizard (e.g., when installing the database after the installation process).

Hotfix

Thu, 28 Aug 2025 11:30:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - Last sign-in not tracked for external users - The system did not update the 'Last sign-in' value for users that signed-in to the administration UI via external authentication.

Hotfix

Thu, 31 Jul 2025 12:41:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

WYSIWYG editor - When inserting links into the Rich text editor component for the page and form builder, URLs containing encoded characters (e.g., spaces encoded as `%20`) were encoded again, which could break the URL in some cases.

Hotfix

Sun, 27 Jul 2025 09:00:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Critical) - 'form-data' update to 4.0.4 - The hotfix updates the 'form-data' third-party library to version 4.0.4, which addresses security vulnerabilities in the previous version.
Security (Informative) - 'on-headers' update to 1.1.0 - The hotfix updates the 'on-headers' third-party library to version 1.1.0, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 19 Jun 2025 11:37:04 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Informative) - 'brace-expansion' dependency update - The hotfix updates the 'brace-expansion' library used by Page and Form Builder scripts to version 1.1.12 to address security vulnerabilities.
Performance - Using content tree-based routing generated unnecessary SQL queries when 'URL format for multilingual sites' was set to 'Language prefix'. The database was only queried when a URL was accessed for the first time; all following requests for that same path were resolved using the cache.

Hotfix

Thu, 29 May 2025 08:51:07 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

General - Internal infrastructure updates - Hotfix 13.0.187 contains internal infrastructure updates, and does not directly impact Kentico Xperience projects.

Hotfix

Thu, 15 May 2025 11:01:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Staging - Staging task error messages displayed by the system after hotfixing to 13.0.181 now provide more details about the source of the issue.

Hotfix

Wed, 07 May 2025 11:18:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - AngularJS library update to 1.8.3 - The hotfix updates the AngularJS library used in certain parts of the administration interface to version 1.8.3. This addresses security vulnerabilities in the original 1.5.5 version.

Hotfix

Wed, 30 Apr 2025 12:35:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Moderate) - http-proxy-middleware update to 2.0.9 - The hotfix updates the http-proxy-middleware used by the administration interface to version 2.0.9, which addresses security vulnerabilities in the previous version.

Hotfix

Thu, 24 Apr 2025 10:53:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Staging - The new staging logic introduced as part of the authorization bypass vulnerability fix in hotfix version 13.0.178 did not reflect the 'CMSAcceptAllCertificates' and 'CMSStagingAcceptAllCertificates' configuration keys.

Hotfix

Thu, 10 Apr 2025 10:02:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - MooTools library made obsolete - The hotfix obsoletes the outdated MooTools library bundled with the administration project to improve security, due to potential vulnerabilities. The library, located under ~/CMSScripts/mootools.js, was carried over from previous versions of Kentico Xperience and is not used by any default functionality in Kentico Xperience 13. If your custom code depends on any features from this library, we recommend referencing an external implementation.
Security (Important) - Require.js library update to v2.3.7 - The Require.js library contained a vulnerability with high severity: Prototype pollution. The hotfix addresses this security vulnerability by updating the library to version 2.3.7.

Hotfix

Thu, 03 Apr 2025 14:22:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Critical) - Underscore.js library update to v1.13.7 - The Underscore.js library contained a critical vulnerability: Arbitrary Code Execution. The hotfix addresses this security vulnerability by updating the library to version 1.13.7.
Security (Moderate) - Stored XSS via media library upload - As an authenticated user, it was possible to distribute a malicious payload by abusing media library file upload and following certain specific steps.
Security (Moderate) - Froala editor update to v4.5.0 - The hotfix updates the Froala WYSIWYG editor used in the 'Rich text' page builder widget to version 4.5.0, which addresses security vulnerabilities in the previous version.

Hotfix

Fri, 28 Mar 2025 16:11:05 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

Security (Important) - Denial of service using Content staging - It was possible to launch a denial-of-service attack by exploiting the system's Content staging feature. Staging did not need to be enabled, the vulnerability was exploitable under all circumstances. Applying the hotfix results in a functional breaking change in the Content staging feature. See the hotfix instructions in the documentation for details and potential manual steps required after hotfixing your instance.