Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3613 articles · 169897 vulns · 37/41 feeds (7d)
← Back to list
8.8
CVE-2026-7195EXPLOITEDPATCHED
progress · sitefinity

CWE-20: Improper Input Validation in web services in Progress Sitefinity

Description

CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.

Affected Products

VendorProductVersions
progresssitefinity14.1.0, 14.4.8100, 15.0.8200, 15.1.8300, 15.2.8400, 15.3.8500, 15.4.8600

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
progresssitefinitycert_advisory90%

References

  • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026(vendor-advisory)

Related News (3 articles)

Tier B
CCCS Canada26d ago
Progress security advisory (AV26-552)
→ No new info (linked only)
Tier B
BSI Advisories28d ago
[NEU] [hoch] Progress Software Sitefinity: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB29d ago
CVE-2026-7195 | Progress Sitefinity up to 15.4.8629 Web Services input validation
→ No new info (linked only)
CVSS 3.18.8 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
14.4.014.4.815215.0.823415.1.833515.2.844115.3.853115.4.8630
CWECWE-20
PublishedJun 2, 2026
Last enriched29d agov2
Trending Score2
Source articles3
Independent3
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-8037EXPKEV
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Trending: 128
CRITICALCVE-2026-7198
CWE-284: Improper Access Control in web services in Progress Sitefinity
Trending: 4
CRITICALCVE-2026-7312
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Trending: 3
HIGHCVE-2026-7313
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Trending: 3
HIGHCVE-2026-7201
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
Trending: 3

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 2, 2026
Discovered by ZDM
Jun 2, 2026
Updated: severity, activelyExploited
Jun 2, 2026
Actively Exploited
Jun 4, 2026
Patch Available
Jun 4, 2026

Version History

v2
Last enriched 29d ago
v2Tier C29d ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited
via VulDB
v129d ago

Initial creation