CVE-2023-35813

CRITICAL EXPLOITED NUCLEI

Sitecore Experience Manager, Experience Platform, Experience Commerce < 10.3 - Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2023-35813 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including aalexpereira, BagheeraAltered, her3ticAVI. A Nuclei detection template is also available.

AI-analyzed exploit summary This Go-based exploit targets CVE-2023-35813, a vulnerability in Sitecore's XAML parsing functionality. It sends crafted HTTP requests to trigger arbitrary code execution via deserialization, then attempts to dump database connection strings.

Description

Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.

Exploits (5)

nomisec WORKING POC 8 stars

by aalexpereira · remote

https://github.com/aalexpereira/CVE-2023-35813

View Code ZIP pw:eip

This Go-based exploit targets CVE-2023-35813, a vulnerability in Sitecore's XAML parsing functionality. It sends crafted HTTP requests to trigger arbitrary code execution via deserialization, then attempts to dump database connection strings.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sitecore CMS (versions affected by CVE-2023-35813)

No auth needed

Prerequisites: Network access to the target Sitecore instance · Vulnerable endpoint exposed (/sitecore_xaml.ashx)

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by BagheeraAltered · remote

https://github.com/BagheeraAltered/CVE-2023-35813-PoC

View Code ZIP pw:eip

This PoC exploits CVE-2023-35813, a critical RCE vulnerability in Sitecore's XAML parser. It encodes a command via a custom URL encoding scheme and sends it to a vulnerable endpoint to achieve remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sitecore (specific version not specified)

No auth needed

Prerequisites: Vulnerable Sitecore instance · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 3 stars

by her3ticAVI · infoleak

https://github.com/her3ticAVI/CVE-2023-35813

View Code ZIP pw:eip

This repository contains a scanner for CVE-2023-35813, which checks if a Sitecore instance is vulnerable by analyzing the server's response header for a specific modification. The script sends a crafted payload to the target and checks if the response contains a specific Content-Type header.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sitecore

No auth needed

Prerequisites: Network access to the target Sitecore instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by nmlz · poc

https://github.com/nmlz/CVE-2023-35813_PoC

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2023-35813, targeting a Sitecore XAML deserialization vulnerability. The exploit sends a crafted POST request to trigger remote code execution via the `__PARAMETERS` field.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sitecore XP (versions affected by CVE-2023-35813)

No auth needed

Prerequisites: Network access to the target Sitecore instance · Vulnerable Sitecore XP version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 28, 2026 Full analysis →

nomisec WORKING POC

by Rezy-Dev · remote

https://github.com/Rezy-Dev/CVE-2023-35813

View Code ZIP pw:eip

This is a functional PoC for CVE-2023-35813, a Sitecore RCE vulnerability. It demonstrates content type and status code injection via crafted payloads, with detailed response analysis and credential highlighting.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sitecore

No auth needed

Prerequisites: Network access to the target Sitecore instance · Vulnerable Sitecore version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Sitecore - Remote Code Execution

CRITICALby DhiyaneshDk,iamnoooob

Shodan: title:"Sitecore" || http.title:"sitecore"

FOFA: title="sitecore"

References (1)

Core 1

Core References

Mitigation, Patch, Vendor Advisory

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002979

Scores

CVSS v3 9.8

EPSS 0.8550

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-01-22

CWE

CWE-94

Status published

Products (4)

sitecore/experience_commerce 8.2 - 10.3

sitecore/experience_manager 8.2 - 10.3

sitecore/experience_platform 8.2 - 10.3

sitecore/managed_cloud 8.2 - 10.3

Published Jun 17, 2023

Tracked Since Feb 18, 2026