Skip to main content

Experience Platform

21 CVEs product

Monthly

CVE-2025-53690 CRITICAL POC KEV THREAT Act Now

Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing.

Deserialization Experience Commerce Experience Manager Experience Platform Managed Cloud
NVD
CVSS 3.1
9.0
EPSS
9.3%
CVE-2025-53694 HIGH POC This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).2 through 10.4; Experience Platform (XP): from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Experience Commerce Experience Manager Experience Platform Managed Cloud
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53693 CRITICAL POC Act Now

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Experience Commerce Experience Manager Experience Platform Managed Cloud
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-53691 HIGH POC This Week

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).0 through 9.3, from 10.0 through 10.4;. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Commerce Experience Manager Experience Platform +1
NVD
CVSS 3.1
8.8
EPSS
3.3%
CVE-2025-34511 HIGH POC THREAT Act Now

Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX webshells via crafted HTTP requests. The unrestricted file upload bypasses content type restrictions, enabling remote code execution on the Sitecore IIS server with any authenticated account.

File Upload RCE Experience Manager Experience Commerce Experience Platform +1
NVD
CVSS 3.1
8.8
EPSS
78.7%
Threat
5.6
CVE-2025-34510 HIGH POC THREAT Act Now

Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allows authenticated attackers to write arbitrary files outside the intended upload directory. By crafting ZIP archives with path traversal entries, attackers can overwrite application files and achieve remote code execution.

RCE Path Traversal Managed Cloud Experience Manager Experience Commerce +1
NVD
CVSS 3.1
8.8
EPSS
87.3%
Threat
5.9
CVE-2025-34509 HIGH POC PATCH THREAT Act Now

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements.

Information Disclosure Experience Commerce Managed Cloud Experience Manager Experience Platform
NVD
CVSS 3.1
7.5
EPSS
23.2%
CVE-2024-46938 HIGH POC THREAT This Week

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Experience Commerce Experience Manager Experience Platform
NVD
CVSS 3.1
7.5
EPSS
46.1%
CVE-2023-35813 CRITICAL POC PATCH THREAT Act Now

Multiple Sitecore products allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Experience Commerce Experience Manager Experience Platform +1
NVD
CVSS 3.1
9.8
EPSS
86.7%
CVE-2023-33653 HIGH POC This Week

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Experience Platform
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2023-33652 HIGH POC This Week

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Experience Platform
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2023-33651 HIGH POC This Week

An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Experience Commerce Experience Manager Experience Platform Managed Cloud
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-27068 CRITICAL POC Act Now

Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Platform
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-27067 HIGH POC This Week

Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Experience Platform
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2023-27066 MEDIUM POC This Month

Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Experience Platform
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2023-26262 HIGH POC This Week

An issue was discovered in Sitecore XP/XM 10.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Experience Manager Experience Platform
NVD GitHub
CVSS 3.1
7.2
EPSS
1.7%
CVE-2021-42237 CRITICAL POC KEV THREAT Emergency

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Deserialization Experience Platform
NVD VulDB
CVSS 3.1
9.8
EPSS
99.2%
Threat
7.9
CVE-2019-13493 MEDIUM POC This Month

In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Experience Platform
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
1.6%
CVE-2019-11080 HIGH POC THREAT This Week

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Platform
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
14.2%
CVE-2019-9874 CRITICAL POC KEV THREAT Act Now

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF RCE Deserialization Cms Experience Platform
NVD
CVSS 3.1
9.8
EPSS
83.9%
CVE-2016-8855 MEDIUM POC This Month

Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Experience Platform
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
0.3%
EPSS 9% CVSS 9.0
CRITICAL POC KEV THREAT Act Now

Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing.

Deserialization Experience Commerce Experience Manager +2
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).2 through 10.4; Experience Platform (XP): from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Experience Commerce Experience Manager +2
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Experience Commerce Experience Manager +2
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).0 through 9.3, from 10.0 through 10.4;. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Commerce +3
NVD
EPSS 79% 5.6 CVSS 8.8
HIGH POC THREAT Act Now

Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX webshells via crafted HTTP requests. The unrestricted file upload bypasses content type restrictions, enabling remote code execution on the Sitecore IIS server with any authenticated account.

File Upload RCE Experience Manager +3
NVD
EPSS 87% 5.9 CVSS 8.8
HIGH POC THREAT Act Now

Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allows authenticated attackers to write arbitrary files outside the intended upload directory. By crafting ZIP archives with path traversal entries, attackers can overwrite application files and achieve remote code execution.

RCE Path Traversal Managed Cloud +3
NVD
EPSS 23% CVSS 7.5
HIGH POC PATCH THREAT Act Now

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements.

Information Disclosure Experience Commerce Managed Cloud +2
NVD
EPSS 46% CVSS 7.5
HIGH POC THREAT This Week

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Experience Commerce Experience Manager +1
NVD
EPSS 87% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Multiple Sitecore products allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Experience Commerce +3
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Experience Platform
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Experience Platform
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Experience Commerce Experience Manager +2
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Platform
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Experience Platform
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Experience Platform
NVD
EPSS 2% CVSS 7.2
HIGH POC This Week

An issue was discovered in Sitecore XP/XM 10.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Experience Manager +1
NVD GitHub
EPSS 99% 7.9 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Deserialization Experience Platform
NVD VulDB
EPSS 2% CVSS 5.4
MEDIUM POC This Month

In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Experience Platform
NVD Exploit-DB
EPSS 14% CVSS 8.8
HIGH POC THREAT This Week

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Experience Platform
NVD GitHub Exploit-DB
EPSS 84% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF RCE Deserialization +2
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Experience Platform
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy