Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3613 articles · 169897 vulns · 37/41 feeds (7d)
← Back to list
8.8
CVE-2026-7201PATCHED
progress · sitefinity

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity

Description

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.

Affected Products

VendorProductVersions
progresssitefinity15.2.8400, 15.3.8500, 15.4.8600

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
progresssitefinitycert_advisory90%

References

  • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026(vendor-advisory)

Related News (3 articles)

Tier B
CCCS Canada26d ago
Progress security advisory (AV26-552)
→ No new info (linked only)
Tier B
BSI Advisories28d ago
[NEU] [hoch] Progress Software Sitefinity: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB29d ago
CVE-2026-7201 | Progress Sitefinity up to 15.2.8440/15.3.8530/15.4.8629 Web Services authorization
→ No new info (linked only)
CVSS 3.18.8 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited❌ No
Patch available
15.2.844115.3.853115.4.8630
CWECWE-639
PublishedJun 2, 2026
Last enriched29d agov2
Tags
CVE-2026-7201
Trending Score3
Source articles3
Independent3
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-8037EXPKEV
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Trending: 128
CRITICALCVE-2026-7198
CWE-284: Improper Access Control in web services in Progress Sitefinity
Trending: 4
CRITICALCVE-2026-7312
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Trending: 3
HIGHCVE-2026-7313
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Trending: 3
HIGHCVE-2026-7195EXP
CWE-20: Improper Input Validation in web services in Progress Sitefinity
Trending: 2

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 2, 2026
Discovered by ZDM
Jun 2, 2026
Updated: affectedVersions, severity, tags
Jun 2, 2026
Patch Available
Jun 2, 2026

Version History

v2
Last enriched 29d ago
v2Tier C29d ago

Updated affected versions to include 15.2.8440, 15.3.8530, and 15.4.8629, changed severity to CRITICAL, and noted that there is no available exploit.

affectedVersionsseveritytags
via VulDB
v129d ago

Initial creation