CVE-2025-2748
MEDIUM EXPLOITED NUCLEIKentico Xperience CMS - Unauthenticated Stored XSS
Title source: nucleiDescription
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
Exploits (1)
nomisec
WORKING POC
1 stars
by xirtam2669 · client-side
https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC
Nuclei Templates (1)
Kentico Xperience CMS - Unauthenticated Stored XSS
MEDIUMVERIFIEDby iamnoooob,rootxharsh,pdresearch
FOFA:
app="Kentico-CMS"
References (1)
Scores
CVSS v3
6.1
EPSS
0.0019
EPSS Percentile
40.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2025-06-07
CWE
CWE-434
CWE-79
Status
published
Products (1)
kentico/xperience
< 13.0.178
Published
Mar 24, 2025
Tracked Since
Feb 18, 2026