Please report security issues privately via GitHub's Report a vulnerability button on the Security tab, or by email to the maintainers listed in the README. Do not open a public issue for vulnerability reports.

EditorPowertools depends on EPiServer.CMS and EPiServer.CMS.UI.Core. Those packages carry their own transitive dependencies, some of which currently have known CVE advisories. We cannot fix these from within this add-on — a patched version of the affected EPiServer package would need to be released upstream.

The list below reflects the state as of the latest release tag.

All entries above are transitive — they are not direct dependencies of UmageAI.Optimizely.EditorPowerTools. The EditorPowertools code base does not invoke the affected APIs directly.

If your deployment's threat model requires closing these advisories:

• Override the transitive version in your host project by adding a top-level <PackageReference> to the patched version. NuGet's direct dependency wins rule lets you pin newer versions than the one EPiServer transitively resolves:

  <ItemGroup>
    <PackageReference Include="MailKit" Version="4.17.0" />
    <PackageReference Include="SixLabors.ImageSharp" Version="3.1.11" />
  </ItemGroup>

  Only do this if your build still passes end-to-end — EPiServer may assume a specific transitive range and break on mismatched majors.

• Track upstream for patched releases of EPiServer.CMS.UI.Core.

• Removed dependency on EPiServer via EPPlusFree 4.5.3.8. Replaced with ClosedXML for Excel import/export. This eliminated a Critical advisory on System.Drawing.Common (GHSA-rxg9-xrhp-64gj) and a High advisory on System.IO.Packaging (GHSA-f32c-w444-8ppv) that were pulled transitively through the old Excel library.

• Relaxed EPiServer.CMS / EPiServer.CMS.UI.Core references from exact-pin to 12.* / 13.* to avoid unresolvable conflicts with sibling EPiServer packages in consumer projects.