CVE-2025-5591
Stored XSS in Kentico Xperience 13 Form Component Enables Session Hijack
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: The Missing Link Australia (TML)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 13.0.167 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5591 is a stored cross-site scripting (XSS) vulnerability in Kentico Xperience 13. It occurs in a form component where an attacker can inject malicious scripts that are stored and later executed in the context of a victim user's session. This allows the attacker to hijack the victim's session and perform actions with the victim's security privileges. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to hijack your user session and perform unauthorized actions on your behalf within Kentico Xperience 13. This means the attacker could potentially access sensitive information or manipulate data using your security context. [1]
What immediate steps should I take to mitigate this vulnerability?
Mitigation involves changing Kenticoβs default configuration according to the vendorβs advisory and updating Kentico Xperience 13 to version 13.0.167 or later. [1]