CVE-2019-25229

An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized...

high 8.8 CVSS 3.1

Published: Dec 18, 2025

Modified: Dec 24, 2025

Vendor: Kentico

Description

An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads.

References

https://devnet.kentico.com/download/hotfixes
https://www.vulncheck.com/advisories/kentico-xperience-mvc-forms-unrestricted-file-upload

Related CVEs

CVSS Breakdown

Version	3.1
Score	8.8 / 10
Severity	high

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness (CWE)

CWE-434

Affected Product

Vendor	Kentico
Product	Xperience