Does the XbyK use React2Shell

No, to my knowledge XbyK doesn't use React2Shell and isn't affected by CVE-2025-55182.

I checked the npm packages used for admin customization (@kentico/xperience-admin-base and @kentico/xperience-admin-components, version 30.12.3). Both bundle React 18.3.1, which isn't affected by this vulnerability.

The vulnerability only affects React 19.x (19.0, 19.1.0, 19.1.1, 19.2.0), and it's specific to React Server Components. XbyK uses client-side React, not RSC, so even if it were on React 19.x, the risk would be lower.

Important disclaimer: I can only verify what's in the admin customization npm packages. I can't confirm what the core Xperience product uses internally. I'm assuming the npm packages align with the core product, but for a definitive answer, check with Kentico support.

Let's see if Kentico provides an official statement.

Milan is correct. Xperience by Kentico is not affected by this vulnerability at all.

That said, React2Shell is not something that a library or product uses - it is the "name" given to this vulnerability. The technology that experiences the React2Shell vulnerability is React server components.

Xperience by Kentico does use React for client side rendering of UI in the Xperience administration. It does not use React server components - React code that executes on the server-side of an application. This is key because its the server-side environment which gives the attacker access to the shell of that server.

Check out the docs which show that the client-side React code sends requests to ASP.NET Core endpoints, not React endpoints.

Finally, if you are interested in security advisories for Xperience by Kentico you can read our security advisories page in our documentation and subscribe to the RSS feed which is also linked there. That is our recommended channel for customers and partners agencies to stay aware of these updates.