Primary

Context

Sitecore File Upload Vulnerability Leading to Remote Code Execution

Vulnerability

A vulnerability in Sitecore versions through 10.1, when the Update Center is enabled, allows remote authenticated users to upload arbitrary files. This could lead to remote code execution by accessing the uploaded .aspx file through the admin/Packages URL.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Sitecore is installed.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a file through the Update Center's custom update upload option. Despite file extension restrictions intended to block uploads of .aspx files, these can be bypassed. Once the file is uploaded, it will be accessible via the admin/Packages URL, where the uploaded file can be executed as a web shell.

Remediation

Disabling the Update Center functionality is recommended. This can be done by adding restrictions in the web.config file to deny access to the update center path.

Added: May 15, 2026, 9:42 AM

Updated: May 15, 2026, 9:42 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sitecore File Upload Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Sitecore

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating