CVE-2025-5591
Unknown Unknown - Not Provided

Stored XSS in Kentico Xperience 13 Form Component Enables Session Hijack

Vulnerability report for CVE-2025-5591, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: The Missing Link Australia (TML)

Description

Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-07-06
AI Q&A
2026-01-05
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kentico xperience to 13.0.167 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-5591 is a stored cross-site scripting (XSS) vulnerability in Kentico Xperience 13. It occurs in a form component where an attacker can inject malicious scripts that are stored and later executed in the context of a victim user's session. This allows the attacker to hijack the victim's session and perform actions with the victim's security privileges. [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker to hijack your user session and perform unauthorized actions on your behalf within Kentico Xperience 13. This means the attacker could potentially access sensitive information or manipulate data using your security context. [1]

Mitigation Strategies

Mitigation involves changing Kentico’s default configuration according to the vendor’s advisory and updating Kentico Xperience 13 to version 13.0.167 or later. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-5591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart