Kentico Xperience <= 13.0.71 Form Emails HTML Injection

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.71
CVE: CVE-2022-50684
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: Kentico DevNet Hotfixes
Credit: Liam Goldfinch (NetConstruct)
Description: An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email security.