CVE-2025-2748

Name of the Vulnerable Software and Affected Versions Kentico Xperience versions prior to 13.0.178

Description The Kentico Xperience application does not fully validate or filter files uploaded through the multiple-file upload functionality. This insufficient validation allows for stored Cross-Site Scripting (XSS). Exploitation of this issue can potentially lead to Remote Code Execution (RCE) by abusing custom file handlers. The vulnerability is triggered by uploading specially crafted files, such as ZIP archives containing malicious SVG files, which can then be used to execute arbitrary JavaScript code.

Recommendations Versions prior to 13.0.178 should be updated to version 13.0.178 or later.