CVE-2022-50684 MEDIUM

CVE-2022-50684: Kentico Xperience <= 13.0.71 Form Emails HTML Injection

Vendor Kentico
Product Xperience
Weakness CWE-79 · XSS
Published December 18, 2025
Last update December 30, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email security.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
December 30, 2025 Record updated