Security advisory 2026-07-09
Email Builder sensitive information disclosure
CVSS: 7.1
Affected versions: 22.0.0 - 31.6.1
Category: Information disclosure
Summary
Due to improper handling of file inclusion paths passed through Email Builder components during MJML email rendering, authenticated administration users with email editing permissions could access and read arbitrary files available to the application, potentially leading to unintended disclosure of sensitive configuration or system data.
How to fix
Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.
For projects using MJML includes, configure the new options in the application’s appsettings.json file:
MjmlInclude:RootPathdefines the root directory from which include files can be loaded.MjmlInclude:AllowedFileExtensionsdefines the allowlist of file extensions permitted for included files.
To reduce security risk, set RootPath to a dedicated folder containing only trusted include files (for example ~/EmailComponents) and keep AllowedFileExtensions as restrictive as possible, ideally only to extensions that are actually used in includes within Email Builder components.
"MjmlInclude": {
"RootPath": "~/EmailComponents",
"AllowedFileExtensions": [".mjml", ".css"]
}
See Configure MJML includes for details.
Acknowledgments
This issue was reported by Vũ Phạm Hải.
SQL injection in the Segments condition builder
CVSS: 8.6
Affected versions: 31.4.0 - 31.6.1
Category: SQL injection
Summary
Due to insufficient validation of user-supplied input in the segment condition builder preview feature, an authorized administration user with appropriate permissions could inject SQL commands, potentially leading to modification of data or disruption of application functionality. After applying the fix, the input is validated correctly and such commands can no longer be executed.
The contact group and other condition builders in the application were not affected.
How to fix
Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.
Acknowledgments
This issue was reported by Ethan Pike.
SQL injection through content sync
CVSS: 7.5
Affected versions: 22.0.0 - 31.6.1
Category: SQL injection
Summary
Due to improper validation of certain form field inputs during content synchronization, synchronization of form definitions between instances could have allowed unintended SQL commands to be executed, potentially leading to disruption of application functionality or compromised data integrity. Exploitation required knowledge of the content synchronization secret and was only possible on Xperience by Kentico instances configured as the target for content synchronization. After applying the fix, the field data is validated correctly, and such commands can no longer be executed.
How to fix
Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.
Acknowledgments
This issue was reported by Vũ Phạm Hải.