Security advisory 2026-07-09

Email Builder sensitive information disclosure

CVSS: 7.1
Affected versions: 22.0.0 - 31.6.1
Category: Information disclosure

Summary

Due to improper handling of file inclusion paths passed through Email Builder components during MJML email rendering, authenticated administration users with email editing permissions could access and read arbitrary files available to the application, potentially leading to unintended disclosure of sensitive configuration or system data.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.

For projects using MJML includes, configure the new options in the application’s appsettings.json file:

  • MjmlInclude:RootPath defines the root directory from which include files can be loaded.
  • MjmlInclude:AllowedFileExtensions defines the allowlist of file extensions permitted for included files.

To reduce security risk, set RootPath to a dedicated folder containing only trusted include files (for example ~/EmailComponents) and keep AllowedFileExtensions as restrictive as possible, ideally only to extensions that are actually used in includes within Email Builder components.

JSON
appsettings.json


"MjmlInclude": {
  "RootPath": "~/EmailComponents",
  "AllowedFileExtensions": [".mjml", ".css"]
}

See Configure MJML includes for details.

Acknowledgments

This issue was reported by Vũ Phạm Hải.

SQL injection in the Segments condition builder

CVSS: 8.6
Affected versions: 31.4.0 - 31.6.1
Category: SQL injection

Summary

Due to insufficient validation of user-supplied input in the segment condition builder preview feature, an authorized administration user with appropriate permissions could inject SQL commands, potentially leading to modification of data or disruption of application functionality. After applying the fix, the input is validated correctly and such commands can no longer be executed.

The contact group and other condition builders in the application were not affected.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.

Acknowledgments

This issue was reported by Ethan Pike.

SQL injection through content sync

CVSS: 7.5
Affected versions: 22.0.0 - 31.6.1
Category: SQL injection

Summary

Due to improper validation of certain form field inputs during content synchronization, synchronization of form definitions between instances could have allowed unintended SQL commands to be executed, potentially leading to disruption of application functionality or compromised data integrity. Exploitation required knowledge of the content synchronization secret and was only possible on Xperience by Kentico instances configured as the target for content synchronization. After applying the fix, the field data is validated correctly, and such commands can no longer be executed.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.

Acknowledgments

This issue was reported by Vũ Phạm Hải.