CVE-2019-25228 MEDIUM

CVE-2019-25228: Kentico Xperience <= 12.0.47 Virtual Context Information Disclosure

Vendor Kentico
Product Xperience
Weakness CWE-497
Published December 18, 2025
Last update December 27, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external domains through page builder interactions and link/image loading.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
December 27, 2025 Record updated