VYPR

EPiServer.CMS.Core

by Optimizely

CVEs (6)

  • CVE-2025-22389HigJan 4, 2025
    risk 0.52cvss 8.0epss 0.00

    An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When…

  • CVE-2025-22390HigJan 4, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters,…

  • CVE-2025-22388MedJan 4, 2025
    risk 0.37cvss 5.7epss 0.00

    An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating…

  • CVE-2025-27802MedJul 28, 2025
    risk 0.31cvss 4.8epss 0.00

    The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. RTE properties (text fields), which could…

  • CVE-2025-27801MedJul 28, 2025
    risk 0.31cvss 4.8epss 0.00

    The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. ContentReference properties, which…

  • CVE-2025-27800MedJul 28, 2025
    risk 0.31cvss 4.8epss 0.00

    The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. The Admin dashboard offered the…