Kentico Xperience <= 13.0.56 File Upload Stored XSS

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.56
CVE: CVE-2022-50685
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: Kentico DevNet Hotfixes
Credit: Kentico Security Team
Description: A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute in users' browsers.