Kentico Xperience <= 13.0.92 Email Marketing Stored XSS

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.92
CVE: CVE-2022-50680
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: Kentico DevNet Hotfixes
Credit: Kentico Security Team
Description: A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information.