Security advisory 2026-05-21

SQL injection in the administration UI

CVSS: 9.4
Affected versions: 22.0.0 - 31.5.0
Category: SQL injection

Summary

Xperience by Kentico was affected by a critical SQL injection vulnerability in its data querying infrastructure. The issue occurred when unvalidated sorting parameters were processed and incorporated into database queries. Exploitation required authenticated access to the administration interface with low‑privileged permissions. An authenticated attacker with access to the administration interface with affected components could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to full application compromise.

How to fix

Update to the latest Xperience by Kentico version. See Update Xperience by Kentico projects for detailed instructions.

Attempts to exploit this issue may be blocked by Web Application Firewalls (WAFs), but this does not remove the underlying vulnerability and must not be relied upon as the sole mitigation strategy.

Insufficient MFA attempt limiting

CVSS: 8.6
Affected versions: 22.0.0 - 31.5.0
Category: Admin UI authentication

Summary

A vulnerability was identified in the multi‑factor authentication (MFA) verification process that could allow an attacker with valid credentials to repeatedly submit MFA codes without triggering an account lockout. This could enable a sustained brute‑force attack against MFA codes.

The issue was resolved by ensuring that unsuccessful MFA attempts contribute to account lockout behavior. This aligns MFA protection with existing authentication lockout mechanisms and allows administrators to configure limits consistently.

How to fix

Update to the latest Xperience by Kentico version. See Update Xperience by Kentico projects for detailed instructions.