Bien Nguyen
Oct 21, 2025
visibility 3006
star star star star star
(4 votes)

MimeKit Vulnerability and EPiServer.CMS.Core Dependency Update

Hi everyone,

We want to inform you about a critical security vulnerability affecting older versions of the EPiServer.CMS.Core package due to its indirect dependency on MimeKit 3.0.

🔍 What’s the Issue?

Versions of EPiServer.CMS.Core prior to 12.22.4 have a dependency on MailKit 3.0 up to 4.x, which in turn depends on MimeKit 3.0. Unfortunately, MimeKit 3.0 contains a high severity vulnerability, the patch version is 4.7.1.

✅ What We Did

Starting from EPiServer.CMS.Core version 12.22.4, which was released for a couple of months, we updated the dependency range for MailKit to [3.0, 5.0). This change allows you to be able to manually upgrade MailKit and MimeKit to safer versions. Specifically, we recommend upgrading the MailKit package to 4.7.1 or higher which requires the patch version of MimeKit 4.7.1 or higher.

📢 What You Should Do

We strongly advise:

  1. Upgrade EPiServer.CMS.Core to version 12.22.4 or later.
  2. Manually upgrade MailKit to version 4.7.1 or higher.

This will eliminate the vulnerability and align your application with best security practices.

Note: Upgrading MailKit to a new major version (v4) should not cause any issues in CMS. We have already verified compatibility when extending the dependency range in version 12.22.4.
However, if your application directly uses MailKit, please be aware that MailKit v4 introduces changes in public APIs, and you may need to update your implementation accordingly.

🔒 Looking Ahead

Security is a top priority for us. We are actively considering enforcing a higher minimum version of MailKit in future CMS Core releases to ensure all customers benefit from secure defaults.


If you have any questions, please reach out to our support team. Thank you for your continued trust and commitment to secure software practices.

Oct 21, 2025

Comments

Linda Mohacsi
Linda Mohacsi May 6, 2026 08:44 AM

The latest version of Episerver.Find.Framework (as I type that is version 16.7.1) has a transient reference to EPiServer.CMS.Core 12.21.2, which requires MailKit < 4.0.0

We added Forms to our solution but emailing from Forms did not work. No errors could be seen in the log. After a lot of troubleshooting we found that this mismatch in package dependencies was the issue.
We had to manually upgrade MailKit and MimeKit as per this article, and upgrade both EPiServer.CMS.Core and EPiServer.CMS.AspNet.Core to version 12.22.4 or later that supports MailKit >4.0.0

I hope this helps anyone troubleshooting the same issue!

The screenshot is of Find 16.7.0, but the same issue remains in version 16.7.1.

When is a version of Find that references a later version of EPiServer.CMS.Core going to be released?

error Please login to comment.
Latest blogs
Architecting an Enterprise-Grade Development Pipeline in Optimizely SaaS CMS

Most enterprise teams show up to Optimizely SaaS CMS with a clear roadmap for their release pipeline: DEV → QA → Stage → Prod. Four logical...

Vipin Banka | Jul 12, 2026

Bynder DAM Connector for Optimizely SaaS CMS: Improved Metadata Property Synchronization

While working with the Bynder DAM Connector for Optimizely SaaS CMS , one of the key areas I explored was how Bynder asset metadata is synchronized...

Vipin Banka | Jul 11, 2026

Optimizely DXP: Every Supported Culture, One Searchable Page

Quick one for anyone building multi-language sites on Optimizely DXP. I put together a reference tool listing all 806 supported cultures. More...

Adnan Zameer | Jul 10, 2026 |

A day in the life of an Optimizely OMVP: London Meetup 2026

On 2nd July 2026 the Optimizely London Developer Meetup returned to The Lightwell, and the running theme across the evening was less about individu...

Graham Carr | Jul 10, 2026

Optimizely’s Summer ’26 Roadmap: The CMS Is Starting to Look Less Like a Publishing Tool and More Like Marketing Infrastructure

Optimizely’s Summer ’26 Product Roadmap event was not just a list of product updates. At least, that is not the part I found most interesting. The...

Augusto Davalos | Jul 9, 2026

Optimizely Content JS SDK v2.1.0 — What's New and Why It Matters

  v2.1.0 of the Optimizely Content JS SDK and CLI landed on July 7, 2026. This is a substantial release bringing a wave of capabilities for...

Vipin Banka | Jul 8, 2026