CVE-2017-17736 — CVSS 9.8 (critical): Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting…
CVE-2019-12102 — CVSS 9.1 (critical): Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselect…
CVE-2019-25229 — CVSS 8.8 (high): An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary…
CVE-2021-47711 — CVSS 8.8 (high): A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro…
CVE-2025-2794: An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a…
CVE-2018-5282 — CVSS 7.8 (high): Kentico 9.0 through 11.0 has a stack-based buffer overflow via the SqlName, SqlPswd, Database, UserName, or Password field in a…
CVE-2023-53934 — CVSS 7.5 (high): A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the…
CVE-2022-50686 — CVSS 7.5 (high): An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form…
CVE-2021-47712 — CVSS 7.5 (high): A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing…
CVE-2022-32387 — CVSS 7.5 (high): In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.
CVE-2025-32370 — CVSS 7.2 (high): Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however…
CVE-2018-7046 — CVSS 7.2 (high): Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system…
CVE-2020-36890 — CVSS 7.2 (high): An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via…
CVE-2018-6843 — CVSS 7.2 (high): Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface.
CVE-2019-6242 — CVSS 7.2 (high): Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the…
CVE-2021-43991 — CVSS 6.8 (medium): The Kentico Xperience CMS version 13.0 – 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as…
CVE-2022-50682 — CVSS 6.5 (medium): A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the…
CVE-2025-32369 — CVSS 6.4 (medium): Kentico Xperience before 13.0.181 allows authenticated users to distribute malicious content (for stored XSS) via certain interactions with…
CVE-2024-58319 — CVSS 6.1 (medium): A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard…
CVE-2022-50681 — CVSS 6.1 (medium): A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input…
CVE-2022-50684 — CVSS 6.1 (medium): An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via…
CVE-2024-58318 — CVSS 6.1 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor…
CVE-2025-2748 — CVSS 6.1 (medium): The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows…
CVE-2022-50685 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file…
CVE-2023-53736 — CVSS 5.4 (medium): A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the…
CVE-2020-36891 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not…
CVE-2024-58321 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule…
CVE-2024-58322 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options…
CVE-2024-58323 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form…
CVE-2020-36889 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing…
CVE-2025-5591 — CVSS 5.4 (medium): Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim…
CVE-2019-19493 — CVSS 5.4 (medium): Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.
CVE-2022-50683 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL…
CVE-2023-53738 — CVSS 5.4 (medium): A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview…
CVE-2018-6842 — CVSS 5.4 (medium): Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page.
CVE-2019-25228 — CVSS 5.3 (medium): An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when…
CVE-2024-58320 — CVSS 5.3 (medium): An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname…
CVE-2024-58317 — CVSS 5.3 (medium): A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration…
CVE-2022-29287 — CVSS 4.9 (medium): Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights…
CVE-2023-53737 — CVSS 4.8 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the…
CVE-2022-50680 — CVSS 4.8 (medium): A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email…
CVE-2018-7205 — CVSS 4.8 (medium): Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute…
CVE-2019-25230 — CVSS 4.3 (medium): An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live…