cbcvebase.

Sitecore Experience Platform vulnerabilities

25 known vulnerabilities affecting sitecore/experience_platform.

Total CVEs
25
CISA KEV
3
actively exploited
Public exploits
11
Exploited in wild
8
Severity breakdown
CRITICAL6HIGH14MEDIUM5

Vulnerabilities

Page 2 of 2
CVE-2023-26262P3HIGHCVSS 7.2fixed in 10.32023-03-14
CVE-2023-26262 [HIGH] CWE-434 CVE-2023-26262: An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted la An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.
nvd
CVE-2015-10142P3MEDIUMCVSS 6.9fixed in 8.0 Initial Release (rev. 141212)2025-07-25
CVE-2015-10142 [MEDIUM] CWE-610 CVE-2015-10142: Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-craf
nvd
CVE-2023-27066P3MEDIUMCVSS 6.5≤ 10.22023-05-22
CVE-2023-27066 [MEDIUM] CWE-22 CVE-2023-27066: Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authentic Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.
nvd
CVE-2025-53692P4HIGHCVSS 7.1≥ 9.2, ≤ 10.42025-09-21
CVE-2025-53692 [HIGH] CWE-79 CVE-2025-53692: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
nvd
CVE-2022-4979P4MEDIUMCVSS 5.1≥ 7.5 Initial Release, ≤ 7.5 Update-2≥ 8.0 Initial Release, ≤ 8.0 Update-7+9 more2025-07-25
CVE-2022-4979 [MEDIUM] CWE-79 CVE-2022-4979: A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 an A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected.
nvd
Sitecore Experience Platform vulnerabilities | cvebase