Sitefinity
Monthly
Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.
Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.
Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.
Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.
Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.0 through 14.4.8142, from. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.
Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.
Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.
Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.
Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.0 through 14.4.8142, from. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.