CVE-2019-25229 HIGH

CVE-2019-25229: Kentico Xperience <= 12.0.29 MVC Forms Unrestricted File Upload

Vendor Kentico
Product Xperience
Weakness CWE-434 · Unrestricted file upload
Published December 18, 2025
Last update December 18, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
December 18, 2025 Record updated

Related vulnerabilities

04Related CVE