CISA Known Exploited Vulnerability (KEV)
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
September 4, 2025
September 25, 2025
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
References
Weakness Enumeration
| CWE-ID | CWE Name |
|---|---|
|
CWE-502 |
Deserialization of Untrusted Data |