Security advisory 2026-02-23
Third‑party dependency update – Microsoft.SemanticKernel.Core
CVSS: 0
Affected versions: 30.9.0 - 31.2.0
Category: Security
Summary
A vulnerability was disclosed in a third‑party library (Microsoft.SemanticKernel.Core) affecting the SessionsPythonPlugin component (GHSA‑2ww3‑72rp‑wpp4). Although Xperience does use the Microsoft.SemanticKernel.Core package, an internal audit confirmed that the vulnerable plugin is not registered, referenced, or invoked anywhere in Xperience. Because the vulnerable functionality is not used, there is no exploit path, and Xperience projects are not impacted.
The affected dependency was updated as part of standard supply‑chain security maintenance to align with the latest vendor release:
Microsoft.SemanticKernel1.70.0 → 1.71.0Microsoft.SemanticKernel.Agents.Core1.70.0 → 1.71.0Microsoft.SemanticKernel.Connectors.AzureOpenAI1.70.0 → 1.71.0
How to fix
Xperience projects are not impacted, as the vulnerable SessionsPythonPlugin is not utilized in any part of the product.
Update to the Xperience by Kentico latest version. See Update Xperience by Kentico projects for detailed instructions.
Customers who do not update immediately remain safe due to the unused and unregistered vulnerable component.