Kentico Xperience 13 - Security Patches

'picomatch' updated to v2.3.2

Wed, 01 Apr 2026 22:00:00 GMT

The hotfix updates the 'picomatch' package used by Page and Form builder client scripts to version '2.3.2'. The updates address security vulnerabilities from previous versions.

'MimeKit' update to v4.15.1

Wed, 25 Mar 2026 23:00:00 GMT

The hotfix updates the 'MimeKit' NuGet package dependency to version '4.15.1' to address security vulnerabilities from previous versions. As a result of the update, the 'MailKit' NuGet package dependency was also updated to '4.15.1'.

'HtmlSanitizer' updated to 9.0.892

Wed, 18 Feb 2026 23:00:00 GMT

The hotfix updates the 'HtmlSanitizer' NuGet package dependency to version '9.0.892'. The update addresses security vulnerabilities from previous versions.

'axios' updated to 1.13.5

Wed, 11 Feb 2026 23:00:00 GMT

The hotfix updates the 'axios' package used by Page and Form builder client scripts to version '1.13.5'. The updates address security vulnerabilities from previous versions.

'lodash' and 'lodash-es' updated to 4.17.23

Wed, 11 Feb 2026 23:00:00 GMT

The hotfix updates the 'lodash' and 'lodash-es' packages used by Page and Form builder client scripts to version '4.17.23'. The updates address security vulnerabilities from previous versions.

'diff' updated to 4.0.4

Wed, 11 Feb 2026 23:00:00 GMT

The hotfix updates the 'diff' package used by Page and Form builder client scripts to version '4.0.4'. The updates address security vulnerabilities from previous versions.

'qs' updated to 6.14.1

Wed, 07 Jan 2026 23:00:00 GMT

The 'qs' transitive dependency used by 'Page builder' and 'Form builder' client scripts was updated to version 6.14.1, which addresses security vulnerabilities from previous versions.

'express' updated to 4.22.0

Wed, 10 Dec 2025 23:00:00 GMT

The 'express' transitive dependency of 'Page builder' and 'Form builder' client scripts was updated to version 4.22.0, which addresses security vulnerabilities from previous versions.

'node-forge' updated to 1.3.2

Wed, 10 Dec 2025 23:00:00 GMT

The 'node-forge' transitive dependency of 'Page builder' and 'Form builder' client scripts was updated to version 1.3.2, which addresses security vulnerabilities from previous versions.

'microsoft.codedom.providers.dotnetcompilerplatform' update to v4.1.0

Wed, 15 Oct 2025 22:00:00 GMT

The hotfix updates the 'microsoft.codedom.providers.dotnetcompilerplatform' package to version 4.1.0, which addresses security vulnerabilities in the previous version.

'axios' update to v1.12.2

Wed, 17 Sep 2025 22:00:00 GMT

The hotfix updates the 'axios' third-party dependency used by the Page Builder feature to version 1.12.2, which addresses security vulnerabilities in the previous version.

Last sign-in not tracked for external users

Wed, 27 Aug 2025 22:00:00 GMT

The system did not update the 'Last sign-in' value for users that signed-in to the administration UI via external authentication.

'form-data' update to 4.0.4

Sat, 26 Jul 2025 22:00:00 GMT

The hotfix updates the 'form-data' third-party library to version 4.0.4, which addresses security vulnerabilities in the previous version.

'on-headers' update to 1.1.0

Sat, 26 Jul 2025 22:00:00 GMT

The hotfix updates the 'on-headers' third-party library to version 1.1.0, which addresses security vulnerabilities in the previous version.

'brace-expansion' dependency update

Wed, 18 Jun 2025 22:00:00 GMT

The hotfix updates the 'brace-expansion' library used by Page and Form Builder scripts to version 1.1.12 to address security vulnerabilities.

AngularJS library update to 1.8.3

Tue, 06 May 2025 22:00:00 GMT

The hotfix updates the AngularJS library used in certain parts of the administration interface to version 1.8.3. This addresses security vulnerabilities in the original 1.5.5 version.

http-proxy-middleware update to 2.0.9

Tue, 29 Apr 2025 22:00:00 GMT

The hotfix updates the http-proxy-middleware used by the administration interface to version 2.0.9, which addresses security vulnerabilities in the previous version.

MooTools library made obsolete

Wed, 09 Apr 2025 22:00:00 GMT

The hotfix obsoletes the outdated MooTools library bundled with the administration project to improve security, due to potential vulnerabilities. The library, located under ~/CMSScripts/mootools.js, was carried over from previous versions of Kentico Xperience and is not used by any default functionality in Kentico Xperience 13. If your custom code depends on any features from this library, we recommend referencing an external implementation.

Require.js library update to v2.3.7

Wed, 09 Apr 2025 22:00:00 GMT

The Require.js library contained a vulnerability with high severity: Prototype pollution. The hotfix addresses this security vulnerability by updating the library to version 2.3.7.

Underscore.js library update to v1.13.7

Wed, 02 Apr 2025 22:00:00 GMT

The Underscore.js library was vulnerable to Arbitrary Code Injection via the template function. The hotfix addresses this security vulnerability by updating the library to version 1.13.7.

Stored XSS via media library upload

Wed, 02 Apr 2025 22:00:00 GMT

As an authenticated user, it was possible to distribute a malicious payload by abusing media library file upload and following certain specific steps.

Froala editor update to v4.5.0

Wed, 02 Apr 2025 22:00:00 GMT

The hotfix updates the Froala WYSIWYG editor used in the 'Rich text' page builder widget to version 4.5.0, which addresses security vulnerabilities in the previous version.

Denial of service using Content staging

Thu, 27 Mar 2025 23:00:00 GMT

It was possible to launch a denial-of-service attack by exploiting the system's Content staging feature. Staging did not need to be enabled, the vulnerability was exploitable under all circumstances. Applying the hotfix results in a functional breaking change in the Content staging feature. See the hotfix instructions in the documentation for details and potential manual steps required after hotfixing your instance.

Update of third-party dependencies

Wed, 19 Mar 2025 23:00:00 GMT

The hotfix updates several third-party dependencies of page and form builder scripts to newer versions that address vulnerabilities.

Self-XSS in the database installation step

Wed, 19 Mar 2025 23:00:00 GMT

It was possible to perform a Self-Cross Site Scripting attack when progressing through the 'additional database installation' wizard in the administration project.

SQL injection in product installer

Wed, 05 Mar 2025 23:00:00 GMT

The product database installer was vulnerable to an SQL injection attack during the installation process. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility) as well as your instance (database installation can be triggered multiple ways).

Stored XSS when uploading files

Wed, 05 Mar 2025 23:00:00 GMT

It was possible to distribute a malicious payload as an unauthenticated user when uploading multiple files to the application. A similar vulnerability could have also been exploited by authenticated users. Applying the hotfix introduces functional changes to the application's file retrieval endpoint for certain types of files. See the hotfix instructions for details.

Authorization bypass in content staging

Wed, 05 Mar 2025 23:00:00 GMT

Due to a vulnerability in a third-party library used by the product, the staging authentication mechanism could be bypassed. Only instances with the staging functionality enabled were affected. This vulnerability exploited a different attack vector from the one fixed in hotfix 13.0.173. See the hotfix instructions in the documentation for possible manual steps required after hotfixing your instance. If you don't use staging and want to completely mitigate all possible vulnerabilities, you can limit which external services can access the staging endpoint ‘/CMSPages/Staging/SyncServer.asmx’ by editing the '' node in the config file under '/CMS/CMSPages/Web.config'. To deny access to all users, set 'authorization' to ''.

CVE record: CVE-2025-2747

Post-auth remote code execution

Wed, 05 Mar 2025 23:00:00 GMT

Staging media files could lead to Remote Code Execution on the target server.

Updated Lodash to the latest version

Wed, 26 Feb 2025 23:00:00 GMT

The Lodash JavaScript library used in the administration interface was updated to version 4.17.21 due to security vulnerabilities contained in the previously used version.

Authorization bypass in the staging service

Wed, 29 Jan 2025 23:00:00 GMT

An issue in the staging endpoint allowed attackers to bypass authorization using forged requests. This attack can be misused to gain complete control over the Xperience instance. We strongly recommend applying this hotfix as soon as possible. This issue affects instances with enabled staging using username and password authentication. As a temporary workaround, administrators can either disable staging on target servers or use X.509 authentication, which is not vulnerable, and limit which external services can access the ‘/CMSPages/Staging/SyncServer.asmx’ endpoint.

CVE record: CVE-2025-2746

Update of third-party dependencies

Wed, 15 Jan 2025 23:00:00 GMT

The hotfix updates System.Text.RegularExpressions, System.Net.Http, and several third-party dependencies of page and form builder scripts to newer versions that address vulnerabilities.

CKEditor update to v4.25.0

Wed, 08 Jan 2025 23:00:00 GMT

The hotfix updates the WYSIWYG editor used by the administration interface to version 4.25.0, which addresses security vulnerabilities in the previous version.

Update of third-party dependencies

Wed, 27 Nov 2024 23:00:00 GMT

The hotfix updates several third-party dependencies of page and form builder scripts to newer versions that address vulnerabilities.

Users unable to set 'secure' flag for administration cookies via web.config

Wed, 09 Oct 2024 22:00:00 GMT

The 'requireSSL' attribute on the 'httpCookies' web.config element was not reflected when setting cookies via 'CookieHelper.SetValue'. Instead, SSL was always disabled unless explicitly forced via the optional 'secure' parameter of the 'SetValue' method. The hotfix introduces a number of functional changes to the 'SetValue' method to correct this issue. Only .NET Framework projects are affected. See the hotfix instructions in the documentation for details.

Stored XSS in the Rich text editor component

Wed, 11 Sep 2024 22:00:00 GMT

The rich text editor component for the page and form builder was vulnerable to cross-site scripting attacks (XSS). To eliminate this vulnerability, entered URIs are validated and can contain only allowed schemes.

Reflected XSS in the Pages dashboard widget

Wed, 28 Aug 2024 22:00:00 GMT

The configuration dialog of the ‘Pages’ administration dashboard widget was vulnerable to reflected cross-site scripting attacks. To eliminate this vulnerability, all configuration values are now properly encoded.

Allowed admin hostnames disclosed via public endpoint

Wed, 21 Aug 2024 22:00:00 GMT

The list of allowed administration interface hostnames sent during authentication was disclosed to public users. After applying the hotfix, hostnames are no longer accessible.

Stored XSS in Form validation

Wed, 21 Aug 2024 22:00:00 GMT

Form validation rule configuration was vulnerable to stored Cross-Site-Scripting attacks. To eliminate this vulnerability, validation message is now properly encoded.

Stored XSS in shipping options configuration

Wed, 21 Aug 2024 22:00:00 GMT

This vulnerability was caused by the ability to enter malicious code into the configuration of shipping options. This could lead to cross-site scripting attacks resulting in potential theft of sensitive data. To correct this issue, support for HTML markup in the shipping options configured was removed.

Stored XSS in Checkbox form component

Wed, 14 Aug 2024 22:00:00 GMT

The Checkbox component in form builder was vulnerable to Cross-Site-Scripting attack (XSS). To eliminate this vulnerability, support for HTML in Checkbox component was removed.

Stored XSS in avatar upload feature

Wed, 14 Aug 2024 22:00:00 GMT

This vulnerability was caused by the file uploader that did not check the configuration of allowed extensions which could potentially lead to Cross-Site-Scripting attack (XSS). We fixed this issue by adding a check for extension of uploaded file, which effectively eliminated possibility of XSS.

'System.Security.Cryptography.Pkcs' NuGet package update

Wed, 19 Jun 2024 22:00:00 GMT

The hotfix updates the 'System.Security.Cryptography.Pkcs' NuGet package dependency to version 8.0.0.

Reflected XSS in the administration interface

Wed, 23 Aug 2023 22:00:00 GMT

A certain page in the administration interface was vulnerable to reflected XSS attacks. The vulnerability could only be exploited by authenticated users.

Stored XSS in the Localization application

Wed, 24 May 2023 22:00:00 GMT

It was possible to inject a malicious payload using the Localization application, which could affect several parts of the administration interface. By default, only users with the Global Administrator privilege could successfully execute the attack.

Reflected XSS in preview URLs

Wed, 10 May 2023 22:00:00 GMT

Page preview URLs were vulnerable to reflected XSS attacks due to improper processing. The vulnerability was exploitable only by authenticated users.

Update of third-party dependencies

Wed, 10 May 2023 22:00:00 GMT

The hotfix updates several third-party dependencies used by the system to later versions. See the hotfix instructions for the full list.

Information disclosure after a failed file upload

Wed, 25 Jan 2023 23:00:00 GMT

When specific conditions were met, and the server could not save an uploaded file (e.g., attachment, media library file), the displayed error message might have contained the filesystem path. After applying the hotfix, only a generic error message is displayed to the user. The full error with detailed information is logged to the event log.

Stored XSS in 'Localization' application

Wed, 25 Jan 2023 23:00:00 GMT

The listing of resource strings in the ‘Localization’ application was vulnerable to stored XSS attacks.

Update of System.Data.SqlClient library

Wed, 18 Jan 2023 23:00:00 GMT

Due to an information disclosure issue in the 'System.Data.SqlClient' library ([https://github.com/advisories/GHSA-8g2p-5pqh-5jmc),|https://github.com/advisories/GHSA-8g2p-5pqh-5jmc),|smart-link] this dependency in the product was updated to version 4.8.5. The 'System.Security.Permissions' and 'System.Security.AccessControl' NuGet packages are no longer needed by the CMSApp project, and we recommend uninstalling them from the project if no custom code depends on them.

Stored XSS through email templates

Tue, 06 Dec 2022 23:00:00 GMT

Administration users were able to inject stored XSS via email marketing templates.

Reflected XSS in the Rich text editor component

Thu, 03 Nov 2022 23:00:00 GMT

Administration input fields using the Rich text editor component were vulnerable to reflected XSS attacks.

CRLF Injection on page redirection

Thu, 01 Sep 2022 22:00:00 GMT

The routing engine was vulnerable to CRLF Injection when performing redirects due to improper encoding of the URL query string.

Cross-site scripting via form configuration

Thu, 23 Jun 2022 22:00:00 GMT

The ‘After the form is submitted > Redirect to URL' configuration for forms in the Xperience administration didn’t properly validate input. This could lead to cross-site scripting attacks.

HTML injection in Form emails

Wed, 01 Jun 2022 22:00:00 GMT

When a user submitted a form on the live site with a malicious HTML value, the form’s notification and autoresponder emails didn’t encode these values. That could lead to potential HTML injection if the recipient’s email client was configured to display HTML content. The hotfix introduces a new ‘CMSBizFormMailEncodeFields’ configuration key, which you can add to the project’s appsettings.json or web.config file. If set to true, autoresponder and notification emails encode the values of the submitted form’s fields. Add the key to both your live site and administration projects.

Denial of service caused by improper input validation

Thu, 07 Apr 2022 22:00:00 GMT

A specially crafted request sent to the GetResource handler may have been used to launch a denial-of-service attack. The vulnerability was fixed via input validation.

Administrators able to export Global administrator users

Thu, 07 Apr 2022 22:00:00 GMT

Users with the 'Administrator' privilege level were able to send requests that exported data about other users with the higher 'Global administrator' privilege level (this was not possible directly in the user interface). The export may have contained all user data stored in the database.

Cross-site scripting via file upload

Thu, 06 Jan 2022 23:00:00 GMT

Stored cross-site scripting could occur if a user uploaded a malicious XML file as a page attachment or metafile.

Cross-site scripting via file upload in media libraries

Thu, 09 Dec 2021 23:00:00 GMT

Stored cross-site scripting occurred if a user uploaded a malicious XML file into a media library.

SQL injection in certain macros

Thu, 25 Nov 2021 23:00:00 GMT

Certain online marketing macro methods contained an SQL injection vulnerability that could be abused by authenticated editors in the administration interface. Adding a malicious SQL query as a macro method parameter could allow unauthorized access to data or modifications in the database.

Flawed MIME type validation for uploaded files

Thu, 16 Sep 2021 22:00:00 GMT

Certain locations within the system allowed uploading of files with a spoofed Content-Type that did not match the file extension, which could lead to XSS vulnerability.

Self Cross-site scripting when submitting forms

Thu, 27 May 2021 22:00:00 GMT

A cross-site scripting vulnerability was present when submitting form data using the Form widget or on the Recorded data tab in the administration. Only the users submitting the form were affected by this vulnerability, therefore it is classified as self-XSS.