CVE-2025-32370
HIGHDescription
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
Is your site exposed to CVE-2025-32370?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| kentico | xperience |
References
Frequently Asked Questions
What is CVE-2025-32370? +
How severe is CVE-2025-32370? +
What products are affected by CVE-2025-32370? +
How do I check if I'm vulnerable to CVE-2025-32370? +
Related Vulnerabilities
Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized …
An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not …
Longse model LBH30FE200W cameras, as well as products based on this device, provide an unrestricted access for an attacker located …
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, …
A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 …
A static login vulnerability exists in the wctrls functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of network packets …