Exposures › CVE-2025-2749
Kentico Xperience allows authenticated users to upload arbitrary files via path traversal, enabling data exfiltration or system compromise.
This path traversal flaw in Kentico Xperience's Staging Sync Server permits authenticated users to write files to arbitrary locations, creating a supply-chain risk for DIB vendors relying on Kentico CMS. While not an RCE, the ability to upload files to sensitive directories could facilitate privilege escalation or data exfiltration, requiring immediate patching and vendor assessment.
Shame score — A known path traversal vulnerability in a widely-used CMS product that allows authenticated users to upload arbitrary files, posing a moderate supply-chain risk.
Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
No correlated FedRAMP products.