Skip to main content

Progress Sitefinity CVE-2026-7313

| EUVDEUVD-2026-33922 HIGH
Insufficiently Protected Credentials (CWE-522)
2026-06-02 security@progress.com GHSA-28j7-fpg4-34hj
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 16:01 EUVD
Analysis Generated
Jun 02, 2026 - 14:32 vuln.today

DescriptionCVE.org

CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.

AnalysisAI

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.

Technical ContextAI

Sitefinity is Progress Software's enterprise .NET-based CMS and digital experience platform. The flaw is classified as CWE-522 (Insufficiently Protected Credentials), meaning credentials are stored or transmitted in a recoverable form rather than being protected through hashing, encryption, or a secret-management layer. In this case, the integration credentials Sitefinity uses to authenticate to Sitefinity Insight (the analytics/personalization SaaS companion to the CMS) are exposed in plain text through web services accessible to authorized back-end users, rather than being masked or restricted to the configuration subsystem. The CVE description does not list a CWE in the structured NVD field (CWE: N/A) but the description text explicitly cites CWE-522.

RemediationAI

Apply the fix per the Progress Sitefinity May 2026 Security Advisory at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026; the input does not name a specific fixed version, so the status is patch available per vendor advisory - confirm the exact upgrade target with Progress before deploying. After upgrading, rotate the Sitefinity Insight integration credentials since any prior values must be assumed disclosed to any back-end user who could reach the affected web services. Compensating controls until patched: restrict back-end Sitefinity administrative access to a small, audited set of accounts and enforce MFA on those accounts; temporarily disable the Sitefinity Insight integration if it is not business-critical (trade-off: loss of analytics and personalization data flow); and place the Sitefinity admin interface behind a VPN or IP allow-list to shrink the network exposure implied by AV:N. Review audit logs for unexpected access to the affected web service endpoints before rotation, because rotation alone will not reveal whether the secret has already been retrieved.

CVE-2018-17055 HIGH POC
7.5 Sep 28

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra

CVE-2026-7312 CRITICAL
10.0 Jun 02

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve pla

CVE-2026-7198 CRITICAL
9.8 Jun 02

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to

CVE-2023-29375 CRITICAL
9.8 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2019-17392 CRITICAL
9.8 Nov 26

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is

CVE-2026-7195 HIGH
8.8 Jun 02

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenti

CVE-2026-7201 HIGH
8.8 Jun 02

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to

CVE-2024-1632 MEDIUM
6.5 Feb 28

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati

CVE-2019-7215 MEDIUM
6.5 Jun 06

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v

CVE-2024-1636 MEDIUM
5.4 Feb 28

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r

CVE-2023-29376 MEDIUM
5.4 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2023-6784 MEDIUM
4.3 Dec 20

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever

Share

CVE-2026-7313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy