Skip to main content

Sitefinity

16 CVEs product

Monthly

CVE-2026-7313 HIGH PATCH This Week

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.

Information Disclosure Sitefinity
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-7312 CRITICAL PATCH Act Now

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.

Information Disclosure Sitefinity
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-7201 HIGH PATCH This Week

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.

Authentication Bypass Sitefinity
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7198 CRITICAL PATCH Act Now

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.

Authentication Bypass Sitefinity
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7195 HIGH PATCH This Week

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Sitefinity
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-11627 MEDIUM This Month

: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Sitefinity
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2024-11626 HIGH This Month

Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.0 through 14.4.8142, from. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Sitefinity
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2024-11625 HIGH This Month

Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Sitefinity
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2024-1636 MEDIUM This Month

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Sitefinity
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-1632 MEDIUM This Month

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Sitefinity
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-6784 MEDIUM This Month

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sitefinity
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-29376 MEDIUM This Month

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Sitefinity
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-29375 CRITICAL Act Now

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Microsoft Sitefinity
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2019-17392 CRITICAL Act Now

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sitefinity
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2019-7215 MEDIUM This Month

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sitefinity
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2018-17055 HIGH POC This Week

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sitefinity
NVD
CVSS 3.0
7.5
EPSS
1.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.

Information Disclosure Sitefinity
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.

Information Disclosure Sitefinity
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.

Authentication Bypass Sitefinity
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.

Authentication Bypass Sitefinity
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Sitefinity
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Sitefinity
NVD
EPSS 0% CVSS 8.4
HIGH This Month

Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.0 through 14.4.8142, from. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Sitefinity
NVD
EPSS 0% CVSS 7.7
HIGH This Month

Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Sitefinity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Sitefinity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Sitefinity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sitefinity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Sitefinity
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Microsoft Sitefinity
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sitefinity
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sitefinity
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sitefinity
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy