CVE-2025-53693

CRITICAL EPSS 96.0%
Published Sep 3, 20259mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Sep 3, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
96.0% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-470

Affected Products 5

VendorProductVersionRange
sitecoreexperience_commerce*≥9.0  –  ≤10.4
sitecoreexperience_manager*≥9.0  –  ≤10.4
sitecoreexperience_platform*≥9.0  –  <10.4
sitecoreexperience_platform10.4any
sitecoremanaged_cloud*any

References 2

  • labs.watchtowr.com https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/
    ExploitThird Party Advisory
  • support.sitecore.com https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.