CVE-2024-46938

HIGH EXPLOITED NUCLEI

Sitecore Experience Platform, Experience Manager, and Experience Commerce 8.0-10.4 - Unauthenticated Arbitrary File Read

Title source: llm

Exploitation Summary

CVE-2024-46938 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.

Nuclei Templates (1)

Sitecore Experience Platform <= 10.4 - Arbitrary File Read

HIGHVERIFIEDby DhiyaneshDK

Shodan: http.title:"sitecore"

FOFA: title="sitecore"

References (1)

Core 1

Core References

Vendor Advisory

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003408

Scores

CVSS v3 7.5

EPSS 0.4490

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-06-07

CWE

CWE-200

Status published

Products (3)

sitecore/experience_commerce 8.0 - 10.4

sitecore/experience_manager 8.0 - 10.4

sitecore/experience_platform 8.0 - 10.4

Published Sep 15, 2024

Tracked Since Feb 18, 2026