Date: 31st March 2026
Severity: Critical
Audience: Developers building custom applications using Web SDK & Cumulocity environment owners
Action Required: Update custom applications and plugins & upgrade environments
Summary
We have identified a security vulnerability within the Web SDK component. We have released targeted patches to address this issue and ensure the continued security of our customers’ environments.
To maintain the integrity of systems, customers are required to update their custom applications and plugins using the patch details provided below.
Affected Versions & Fix Details
Custom applications and plugins
Please identify the Web SDK version currently used to build any custom applications and update your dependencies to the specified version (or higher).
| Release Track | Required minimum version of Web SDK |
|---|---|
| CD | 1023.25.6 |
| Y2026 | 1023.14.60 |
| Y2025 | 1021.22.145 |
Environment upgrades
| Release Track | Required minimum platform version |
|---|---|
| CD | The default applications and plugins in all CD environments are fixed |
| Y2026 | y2026.0 will contain all the necessary fixes. |
| Y2025 | y2025.20 maintenance release contains the necessary fixes |
Recommended Action
Update custom applications and plugins: Update all custom applications and plugins utilizing the Web SDK to the relevant patched version listed above to ensure you are protected against this vulnerability.
Update environments: Update environments to the y2025.20 maintenance release, or higher.
Risk if you do not take action
The vulnerability allows malicious users to construct specially crafted URLs targeting affected applications and plugins. These URLs can be used to alter the visual display of the application, deceive users (for example, via phishing), and potentially lead to data exfiltration by overlaying harmful UI elements.
Support
For further assistance, please contact Cumulocity Support.