CVE-2025-32370

Name of the Vulnerable Software and Affected Versions Kentico Xperience versions prior to 13.0.178

Description The issue concerns Kentico Xperience, where a specific set of allowed ContentUploader file extensions for unauthenticated uploads exists. However, due to the processing of .zip files through TryZipProviderSafe, there is additional functionality to create files with other extensions. This is a separate issue not necessarily related to SVG or XSS.

Recommendations For Kentico Xperience versions prior to 13.0.178, update to version 13.0.178 or later to resolve the issue. As a temporary workaround, consider restricting access to the ContentUploader functionality to minimize the risk of exploitation. Avoid using the TryZipProviderSafe functionality for unauthenticated uploads until the issue is resolved.