This week’s update
This week, new critical vulnerabilities were disclosed in Sitecore’s Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), specifically versions 9.0 through 9.3, and 10.0 through 10.4. These flaws are caused by unsafe data deserialization and code reflection, leaving affected systems at high risk of exploitation.
Key Findings
- CVE-2025-53690: Remote Code Execution through Insecure Deserialization
- CVE-2025-53691: Remote Code Execution through Insecure Deserialization
- CVE-2025-53693: HTML Cache Poisoning through Unsafe Reflections
Impact
Exploitation could allow attackers to execute arbitrary code remotely on the affected system and conduct cache poisoning attacks, potentially leading to further compromise. Applying the latest vendor-released solution without delay is strongly recommended.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | 588edc74df1f4609b3c2f7ef0ee2c15e | 100878 | Sitecore – Remote Code Execution – CVE:CVE-2025-53691 | N/A | Block | This is a new detection |
| Cloudflare Managed Ruleset | d1bd7563e6254db48ce703807c5b669c | 100631 | Sitecore – Cache Poisoning – CVE:CVE-2025-53693 | N/A | Block | This is a new detection |
| Cloudflare Managed Ruleset | ed94c7ce5301411a94a21a096c410240 | 100879 | Sitecore – Remote Code Execution – CVE:CVE-2025-53690 | N/A | Block | This is a new detection |
Source: Cloudflare
Latest Posts
- Dynamics 365 Customer Service- Estimate AI credits for agents from forecasted demand [MC1307183]
- Microsoft Power Automate – Automate administrator-level desktop applications in unattended runs [MC1307177]
- Microsoft Dataverse – Create Dataverse agent users with Microsoft Entra agent identity [MC1307182]
- GCP Release Notes: May 08, 2026
