Vulnerability Details CVE-2025-34510
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.781
EPSS Ranking 99.0%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2025-34510
-
cpe:2.3:a:sitecore:experience_commerce:10.0
-
cpe:2.3:a:sitecore:experience_commerce:10.1
-
cpe:2.3:a:sitecore:experience_commerce:10.2
-
cpe:2.3:a:sitecore:experience_commerce:10.3
-
cpe:2.3:a:sitecore:experience_commerce:10.4
-
cpe:2.3:a:sitecore:experience_commerce:9.0
-
cpe:2.3:a:sitecore:experience_commerce:9.1
-
cpe:2.3:a:sitecore:experience_manager:10.1
-
cpe:2.3:a:sitecore:experience_manager:10.2
-
cpe:2.3:a:sitecore:experience_manager:10.3
-
cpe:2.3:a:sitecore:experience_manager:10.4
-
cpe:2.3:a:sitecore:experience_manager:9.0
-
cpe:2.3:a:sitecore:experience_manager:9.1
-
cpe:2.3:a:sitecore:experience_manager:9.2
-
cpe:2.3:a:sitecore:experience_manager:9.3
-
cpe:2.3:a:sitecore:experience_platform:10.0
-
cpe:2.3:a:sitecore:experience_platform:10.1
-
cpe:2.3:a:sitecore:experience_platform:10.2
-
cpe:2.3:a:sitecore:experience_platform:10.3
-
cpe:2.3:a:sitecore:experience_platform:10.4
-
cpe:2.3:a:sitecore:experience_platform:9.0
-
cpe:2.3:a:sitecore:experience_platform:9.1
-
cpe:2.3:a:sitecore:experience_platform:9.1.1
-
cpe:2.3:a:sitecore:experience_platform:9.2
-
cpe:2.3:a:sitecore:experience_platform:9.3
-
cpe:2.3:a:sitecore:managed_cloud:-