Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
AnalysisAI
Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
Progress Sitefinity is a .NET-based digital experience and content management platform widely deployed for public-facing corporate websites and customer portals. The weakness sits in the product's web service tier and is classified under CWE-20 (Improper Input Validation), meaning a component accepts data from clients without sufficiently constraining its type, format, or semantic content before acting on it. Because the affected surface is the web services layer, the validation gap is reachable over HTTP(S) without prior authentication, but the actual user-account compromise requires the victim's browser session or click to complete the chain - consistent with patterns such as request forgery, reflected injection, or unsafe deserialization of user-supplied parameters triggered through a crafted link.
RemediationAI
The primary remediation is to install the vendor-released patched builds: upgrade to Sitefinity 14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441, 15.3.8531, or 15.4.8630 (or later) on the matching branch, as published in the Progress Sitefinity Security Advisory of May 2026 at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026; the 14.1.x-14.3.x branches appear unpatched, so migration to a supported branch is required for those deployments. If immediate patching is not feasible, audit which non-default site configuration enables the issue (consult the advisory for the exact toggle) and revert it to default - this is the most targeted compensating control and will reduce functionality only for the feature being disabled. As secondary mitigations, place the Sitefinity web-service endpoints behind a WAF rule that constrains the parameters identified by Progress, and reduce phishing surface by enforcing SameSite cookies and CSP on authenticated admin sessions, accepting that this hardens but does not eliminate the user-interaction step.
More in Sitefinity
View allAn arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra
Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve pla
Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is
Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to
Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to re
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v
Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33918
GHSA-5846-8mmv-m39j