Security advisory 2026-06-04

Copy to clipboard

SQL Injection in Form Builder

CVSS: 8.7
Affected versions: 22.0.0 - 31.5.2
Category: SQL injection

Summary

Xperience by Kentico was affected by an SQL injection vulnerability in Form Builder. Due to missing back-end validation, an attacker could tamper with form field names, which were then processed and incorporated into database queries. Exploitation required authenticated access to the administration interface with permissions for editing forms. An authenticated attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to application compromise.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.

Acknowledgments

This issue was reported by Ethan Pike.