Main Vulnerability Database Vulnerabilities #VU118740

#VU118740 Path traversal in Sitecore products

Published: November 25, 2025

Vulnerability identifier: #VU118740

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Experience Manager
Sitecore Experience Platform
Experience Commerce

Software vendor:
Sitecore

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Remediation

To mitigate the impact of this vulnerability, it is recommended to apply the following patch to affected Sitecore systems. This patch can be used for all affected product versions from 8.0 Initial Release through 10.4 Initial Release. Follow the installation instructions below:

Download and extract the Sitecore.Support.PDXP-9109.zip archive.
Remove the App_Config\Include\zzz\Sitecore.Support.619349.config file from the Content Management or standalone instance (if present).
Remove the bin\Sitecore.Support.619349.dll assembly from the Content Management or standalone instance (if present).
Place Sitecore.Support.PDXP-9109.dll in the \bin folder.
Place Sitecore.Support.PDXP-9109.config in the \App_Config\Include\zzz folder.

External links

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003661

#VU118740 Path traversal in Sitecore products

Description

Remediation

External links

Please verify you're human