Skip to main content

Progress Sitefinity CVE-2026-7312

| EUVDEUVD-2026-33921 CRITICAL
Insufficiently Protected Credentials (CWE-522)
2026-06-02 security@progress.com GHSA-2h6v-g45h-32xx
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 16:01 EUVD
Analysis Generated
Jun 02, 2026 - 14:30 vuln.today

DescriptionCVE.org

CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.

AnalysisAI

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.

Technical ContextAI

Progress Sitefinity is a .NET-based digital experience and web content management platform commonly deployed for enterprise marketing sites. The vulnerability sits in Sitefinity's web services layer that handles configuration for the Sitefinity Insight integration - a separate Progress SaaS analytics/personalization product that ingests behavioral data from Sitefinity sites. The root cause maps to CWE-522 (Insufficiently Protected Credentials): the Insight connection credentials are exposed in plain text through a web service path reachable without authentication, rather than being protected behind admin-only endpoints or stored/transmitted only in protected form. The advisory does not specify the exact endpoint, but the CVSS Scope:Changed metric indicates the bug in Sitefinity yields impact against a separate security authority - consistent with stealing credentials that authenticate the site to the downstream Insight tenant.

RemediationAI

Patch available per vendor advisory - apply the fixed builds published by Progress in the May 2026 Sitefinity security advisory (https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026); exact post-fix version numbers per branch are not enumerated in the available data and must be confirmed against that advisory. As an interim compensating control while patching, customers running Sitefinity Insight integration should rotate the Insight API credentials immediately after patching (assume them compromised), disable the Insight integration if it is not in active use to eliminate the exposed credential, and place authentication or network-layer restrictions in front of Sitefinity's web service endpoints - for example by IP-allowlisting administrative paths at the reverse proxy or WAF - accepting that overly broad blocking can also break legitimate Insight callbacks and editor tooling. Reverting to the default site configuration, where compatible, also avoids the vulnerable code path per the vendor's description but may regress site behavior that depended on the customization.

CVE-2018-17055 HIGH POC
7.5 Sep 28

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra

CVE-2026-7198 CRITICAL
9.8 Jun 02

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to

CVE-2023-29375 CRITICAL
9.8 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2019-17392 CRITICAL
9.8 Nov 26

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is

CVE-2026-7195 HIGH
8.8 Jun 02

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenti

CVE-2026-7201 HIGH
8.8 Jun 02

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to

CVE-2026-7313 HIGH
8.7 Jun 02

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to re

CVE-2024-1632 MEDIUM
6.5 Feb 28

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati

CVE-2019-7215 MEDIUM
6.5 Jun 06

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v

CVE-2024-1636 MEDIUM
5.4 Feb 28

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r

CVE-2023-29376 MEDIUM
5.4 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2023-6784 MEDIUM
4.3 Dec 20

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever

Share

CVE-2026-7312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy