A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
History

Thu, 31 Jul 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Sitecore
Sitecore experience Commerce
Sitecore experience Manager
Sitecore experience Platform
Sitecore managed Cloud
Vendors & Products Sitecore
Sitecore experience Commerce
Sitecore experience Manager
Sitecore experience Platform
Sitecore managed Cloud

Fri, 25 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 25 Jul 2025 16:00:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
Title Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-07-25T15:54:25.297Z

Updated: 2025-07-25T18:21:11.575Z

Reserved: 2025-04-15T19:15:22.563Z

Link: CVE-2025-34139

cve-icon Vulnrichment

Updated: 2025-07-25T18:21:05.618Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-25T16:15:28.913

Modified: 2025-07-29T14:14:55.157

Link: CVE-2025-34139

cve-icon Redhat

No data.