Skip to main content

Progress Sitefinity CVE-2026-7195

| EUVDEUVD-2026-33918 HIGH
Improper Input Validation (CWE-20)
2026-06-02 security@progress.com GHSA-5846-8mmv-m39j
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 16:01 EUVD
Analysis Generated
Jun 02, 2026 - 14:31 vuln.today

DescriptionCVE.org

CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.

AnalysisAI

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

Progress Sitefinity is a .NET-based digital experience and content management platform widely deployed for public-facing corporate websites and customer portals. The weakness sits in the product's web service tier and is classified under CWE-20 (Improper Input Validation), meaning a component accepts data from clients without sufficiently constraining its type, format, or semantic content before acting on it. Because the affected surface is the web services layer, the validation gap is reachable over HTTP(S) without prior authentication, but the actual user-account compromise requires the victim's browser session or click to complete the chain - consistent with patterns such as request forgery, reflected injection, or unsafe deserialization of user-supplied parameters triggered through a crafted link.

RemediationAI

The primary remediation is to install the vendor-released patched builds: upgrade to Sitefinity 14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441, 15.3.8531, or 15.4.8630 (or later) on the matching branch, as published in the Progress Sitefinity Security Advisory of May 2026 at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026; the 14.1.x-14.3.x branches appear unpatched, so migration to a supported branch is required for those deployments. If immediate patching is not feasible, audit which non-default site configuration enables the issue (consult the advisory for the exact toggle) and revert it to default - this is the most targeted compensating control and will reduce functionality only for the feature being disabled. As secondary mitigations, place the Sitefinity web-service endpoints behind a WAF rule that constrains the parameters identified by Progress, and reduce phishing surface by enforcing SameSite cookies and CSP on authenticated admin sessions, accepting that this hardens but does not eliminate the user-interaction step.

CVE-2018-17055 HIGH POC
7.5 Sep 28

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra

CVE-2026-7312 CRITICAL
10.0 Jun 02

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve pla

CVE-2026-7198 CRITICAL
9.8 Jun 02

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to

CVE-2023-29375 CRITICAL
9.8 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2019-17392 CRITICAL
9.8 Nov 26

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is

CVE-2026-7201 HIGH
8.8 Jun 02

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to

CVE-2026-7313 HIGH
8.7 Jun 02

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to re

CVE-2024-1632 MEDIUM
6.5 Feb 28

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati

CVE-2019-7215 MEDIUM
6.5 Jun 06

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v

CVE-2024-1636 MEDIUM
5.4 Feb 28

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r

CVE-2023-29376 MEDIUM
5.4 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2023-6784 MEDIUM
4.3 Dec 20

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever

Share

CVE-2026-7195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy