CVE-2025-53693

HTML Cache Poisoning through Unsafe Reflections

CVSS 9.8 CRITICALEPSS 13.8%CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Sitecore · Experience Platform (XP)Sitecore · Sitecore Experience Manager (XM)

public PoCs found — 1

githubgithub.com/blueisbeautiful/CVE-2025-53693★ 1

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667