LOWCVE-2025-2878CVSS 2.4

CVE-2025-2878: XSS in Kentico CMS 13.0.178

Platform

php

Component

kentico-cms

Fixed in

13.0.179

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026

View on NVD

Save

CVE-2025-2878 is a cross-site scripting (XSS) vulnerability affecting Kentico CMS versions up to 13.0.178. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the Additional Database Installation Wizard, specifically the /CMSInstall/install.aspx endpoint. A fix is available in version 13.0.179.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-2878 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, and personally identifiable information (PII). An attacker could also redirect users to malicious websites, deface the website, or perform actions on behalf of the user. The vulnerability's remote accessibility significantly broadens the potential attack surface, making it a concern for any deployment of Kentico CMS within the affected version range.

Exploitation Context

CVE-2025-2878 was publicly disclosed on March 27, 2025. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 2.4 indicates a low probability of exploitation, but the ease of exploitation if a PoC is developed warrants attention. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.18% (40% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentkentico-cms

VendorKentico

Affected rangeFixed in

13.0.178 – 13.0.17813.0.179

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2025-03-27
Published2025-03-27
Modified2025-03-28
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-2878 is to upgrade Kentico CMS to version 13.0.179 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing input validation and sanitization on the 'new database' parameter within the /CMSInstall/install.aspx endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. Thoroughly review and test any configuration changes before deploying them to a production environment.

How to fix

Update Kentico CMS to version 13.0.179 or higher. This update fixes the Cross-Site Scripting (XSS) vulnerability in the Additional Database Installation Wizard. It is recommended to perform the update as soon as possible to prevent potential attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-2878 — XSS in Kentico CMS?

CVE-2025-2878 is a cross-site scripting (XSS) vulnerability affecting Kentico CMS versions up to 13.0.178, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-2878 in Kentico CMS?

You are affected if you are running Kentico CMS version 13.0.178 or earlier. Upgrade to 13.0.179 or later to mitigate the risk.

How do I fix CVE-2025-2878 in Kentico CMS?

Upgrade Kentico CMS to version 13.0.179 or later. Consider input validation and WAF rules as temporary mitigations.

Is CVE-2025-2878 being actively exploited?

No active exploitation has been confirmed at this time, but a PoC could change this.

Where can I find the official Kentico CMS advisory for CVE-2025-2878?

Refer to the Kentico CMS security advisory for detailed information and updates: [https://www.kentico.com/security/advisories](https://www.kentico.com/security/advisories)