CVE-2025-53693CRITICAL 9.8EPSS p96.0%

CVE-2025-53693CVE-2025-53693

Description

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS13.78% probability of exploitation · percentile 96.0% · 2026-06-19T12:03:05Z
Published2025-09-03
Last modified2025-09-08

Underlying weaknesses· 1

CWE-470

References

  1. https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/
  2. https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

1

TypeTargetConfidenceTier
WeaknessUse of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')cwe-4700%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-53691
CVE
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
CVE
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE
Sitecore XP Remote Command Execution Vulnerability
CVE
CVE-2025-34510
CVE
CVE-2025-34511
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.