PT-2025-30893 · Sitecore · Sitecore Experience Manager+3
Sitecore
·
Published
2025-07-25
·
Updated
2025-11-12
·
CVE-2025-34138
CVSS v4.0
9.3
Critical
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Sitecore Experience Manager (XM) versions 9.2 Initial Release through 10.4 Initial Release
Sitecore Experience Platform (XP) versions 9.2 Initial Release through 10.4 Initial Release
Sitecore Experience Commerce (XC) versions 9.2 Initial Release through 10.4 Initial Release
Sitecore Managed Cloud versions 9.2 Initial Release through 10.4 Initial Release
Description
A vulnerability exists that could allow remote code execution or unauthorized access to information. This affects all Experience Platform topologies (XM, XP, XC). PaaS and containerized solutions are similarly affected.
Recommendations
Update Sitecore Experience Manager (XM) to a version later than 10.4 Initial Release.
Update Sitecore Experience Platform (XP) to a version later than 10.4 Initial Release.
Update Sitecore Experience Commerce (XC) to a version later than 10.4 Initial Release.
Update Sitecore Managed Cloud to a version later than 10.4 Initial Release.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sitecore Experience Commerce
Sitecore Experience Manager
Sitecore Experience Platform
Sitecore Managed Cloud