{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T23:23:58.587","vulnerabilities":[{"cve":{"id":"CVE-2025-32370","sourceIdentifier":"cve@mitre.org","published":"2025-04-06T07:15:40.970","lastModified":"2025-04-08T18:54:51.523","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS."},{"lang":"es","value":"Kentico Xperience anterior a la versión 13.0.178 tiene un conjunto específico de extensiones de archivo ContentUploader permitidas para cargas no autenticadas. Sin embargo, dado que los archivos .zip se procesan mediante TryZipProviderSafe, existe una funcionalidad adicional para crear archivos con otras extensiones. NOTA: Este problema es independiente y no está necesariamente relacionado con SVG ni XSS."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-912"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*","versionEndExcluding":"13.0.178","matchCriteriaId":"98D609C3-307D-4D49-9AAB-0AA4750FD786"}]}]}],"references":[{"url":"https://devnet.kentico.com/download/hotfixes","source":"cve@mitre.org","tags":["Release Notes"]},{"url":"https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/","source":"cve@mitre.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}}]}