Primary

Context

Kentico Xperience HTML Injection Vulnerability in Form Submission Emails

Vulnerability

Patched

A vulnerability allowing HTML injection has been identified in Kentico Xperience versions through 13.0.71. This issue arises because unencoded form field values can be injected into emails generated from form submissions. Such unencoded values may be executed as HTML in the email clients of the recipients, potentially leading to a compromise of email security.

Impact

Exploitation of this vulnerability could allow for HTML content execution in the email clients of recipients, creating a risk of email security compromise.

Remediation

Users can apply the latest hotfix available for their Kentico Xperience version. Instructions for applying hotfixes can be found in the Kentico Xperience Documentation.

Added: Dec 18, 2025, 8:39 PM

Updated: Dec 18, 2025, 8:39 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.2

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.2

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kentico Xperience HTML Injection Vulnerability in Form Submission Emails

Vulnerability

Impact

Remediation

Affected Products

Kentico Xperience

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating