CVE-2025-34510 HIGH

CVE-2025-34510: Sitecore XM, XC, and XP Post-Auth RCE via Zip Slip

Vendor Sitecore

Product Experience Manager

Weakness CWE-23

Published June 17, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Key dates

02Disclosure timeline

June 17, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34510 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

Identifiers

CVE CVE-2025-34510

CWE CWE-23

CVSS 8.8 / HIGH

Affected versions

Vendor Sitecore

Product Experience Manager

Affected ≥ 9.0 and ≤ 9.3

Vendor Sitecore

Product Experience Manager

Affected ≥ 10.0 and ≤ 10.4

Vendor Sitecore

Product Experience Platform

Affected ≥ 9.0 and ≤ 9.3

Vendor Sitecore

Product Experience Platform

Affected ≥ 10.0 and ≤ 10.4

Vendor Sitecore

Product Experience Commerce

Affected ≥ 9.0 and ≤ 9.3

Vendor Sitecore

Product Experience Commerce

Affected ≥ 10.0 and ≤ 10.4

CVE-2025-34510: Sitecore XM, XC, and XP Post-Auth RCE via Zip Slip

01Description

02Disclosure timeline

03References

04Related CVE