CVE-2023-26262

HIGH

Sitecore Experience Manager < 10.3 - Authenticated Unrestricted File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-26262. PoCs published by istern.

AI-analyzed exploit summary This repository provides a detailed technical writeup on CVE-2023-26262, an authenticated file upload vulnerability in Sitecore 10.3. It includes step-by-step reproduction instructions, screenshots, and remediation guidance, demonstrating a clear understanding of the vulnerability mechanics.

Description

An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.

Exploits (1)

nomisec WRITEUP
by istern · poc
https://github.com/istern/CVE-2023-26262

This repository provides a detailed technical writeup on CVE-2023-26262, an authenticated file upload vulnerability in Sitecore 10.3. It includes step-by-step reproduction instructions, screenshots, and remediation guidance, demonstrating a clear understanding of the vulnerability mechanics.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sitecore 10.3
Auth required
Prerequisites: Valid Sitecore credentials · Access to the Sitecore control panel
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Mitigation, Third Party Advisory
https://github.com/istern/CVE-2023-26262

Scores

CVSS v3 7.2
EPSS 0.0166
EPSS Percentile 73.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
sitecore/experience_manager < 10.3
sitecore/experience_platform < 10.3
Published Mar 14, 2023
Tracked Since Feb 18, 2026