- Sitecore completed the rebrand from XM Cloud to **SitecoreAI**, unifying CMS, DAM, Search, Personalize, CDP, and Stream into a single AI-first platform with simplified licensing and agentic automation baked into every workflow.
- **Content SDK v2.0** (March 19) is the headline SDK release — adds Next.js 16, agent skills, search package, analytics consolidation, and React 19 hooks; contains multiple breaking changes.
- **JSS 22.x enters final maintenance** — EOL scheduled for **June 2026**; JSS 22.12 (March 31) backports Next.js 16 and agent skills but no new features will follow.
- **Agentic Studio** expanded significantly in Q1 with workflow agents, spaces for multi-agent chaining, and content-at-scale processing (February and March releases).
- No new CVEs were published in the research window; however, fallout from **CVE-2025-53690** (CVSS 9.0, ViewState deserialization zero-day exploited by APT) continued with CISA enforcement and community remediation guidance into early 2026.
---
**Content SDK v2.0** introduces `@sitecore-content-sdk/search`, `analytics-core`, `events`, and `personalize` packages; decouples `content` from `core`; replaces HOCs with `useSitecore` hook and `SitecoreProvider`; requires Next.js 16 and Node.js 24.
**Content SDK v2.0 breaking changes**: middleware renamed from `middleware.ts` to `proxy.ts`; `remotePatterns` replaces `images.domains`; Suspense disabled by default; redirects default to default locale.
**JSS 22.12** mirrors Content SDK 2.0 framework upgrades (Next.js 16, Node.js 24) but is the last feature-aligned release before EOL.
**Base image 1.6.1483** reduces memory via AccessResultCacheKey interning and parallelizes CMP relation processor pipeline.
**Sitecore documentation** migrated to a new Markdown-based platform (March 25) with improved search and performance.
Security Advisories
CVE / AdvisorySeverity
Summary
Affected: Affected versionsFixed: Fixed in
CVE-2025-53690Critical (9.0)
ViewState deserialization zero-day exploited by China-linked APT (UAT-8837). Default ASP.NET machine key from legacy deployment guides enabled RCE. Exploitation active since Dec 2024. Remediation: rotate machine keys, apply patch.
Hardcoded credentials + two post-auth RCE flaws chain into pre-auth RCE.
Affected: XP 10.4.1Fixed: Patch May 2025
Ecosystem Trends
Agentic Studio is Sitecore's primary differentiator play.
Q1 2026 saw three major Agentic Studio updates (January configuration, February spaces/collaboration, March workflow agents and content-at-scale). Multi-agent chaining within Spaces signals a move toward orchestrated AI content pipelines, not just single-prompt generation.
JSS wind-down accelerating.
With JSS 22.12 explicitly labeled as maintenance-only and EOL in June 2026, Content SDK is now the sole forward-investment SDK. Community partners (Fishtank, AgencyQ) are publishing migration guides, indicating active migration pressure across the ecosystem.
Content SDK agent skills signal developer-AI convergence.
Content SDK v2.0 ships `AGENTS.md` and `.agents/skills/` directories in its templates, embedding AI coding assistance into the default project scaffold. This positions Sitecore head apps as "agent-ready" out of the box.
SitecoreAI rebrand consolidates licensing and narrative.
The XM Cloud brand is retired; SitecoreAI unifies CMS, DAM, CDP, Personalize, Search, and Stream under one product with "unlimited AI" licensing. Analyst coverage (CMSWire, Velir) frames this as "composed is the new composable."
Community sentiment: cautiously positive on SaaS, still frustrated on legacy.
G2 and Gartner reviews praise XM Cloud/SitecoreAI flexibility; persistent complaints center on steep learning curve, licensing cost for smaller orgs, and legacy XP upgrade complexity. The 2026 MVP class (213 members) remains active, and Sitecore community blog output is steady.