Security Bulletin SC2021-003-499266

The information on the latest update


This article reports Critical vulnerability (SC2021-003-499266) in Sitecore software, for which there is a solution available.

This issue is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file. This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release. 

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the Solution below to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.


Versions affected

Vulnerability SC2021-003-499266 affects the following Sitecore XP versions:

The vulnerability is applicable to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (Content Delivery, Content Editing, Reporting, Processing, etc.), which are exposed to the Internet. 
A solution is available for the affected versions.

Versions not affected

The following Sitecore XP versions are not affected by this vulnerability:

Versions not mentioned in the "Versions affected" section are not affected by this vulnerability.


In order to fix this vulnerability:

Note: The Report.ashx file is no longer used and can safely be removed.

History of updates