VYPR
Vypr IntelligenceAI-generatedJun 2, 2026· 5 CVEs

Progress Sitefinity: Five CVEs Disclosed, Two Critical, on June 2nd

Progress Sitefinity users face critical and high-severity vulnerabilities, including credential exposure and authorization bypass, disclosed on June 2nd.

Key findings

  • Five vulnerabilities in Progress Sitefinity disclosed on June 2nd, 2026.
  • Two critical vulnerabilities (CVSSv3 10.0 and 9.8) involve credential exposure and unauthorized access.
  • High-severity flaws include credential exposure, authorization bypass, and input validation issues.
  • Multiple version ranges of Progress Sitefinity are affected by these vulnerabilities.
  • Patches and advisories are available from Progress; prompt application is recommended.

On June 2nd, 2026, a batch of five vulnerabilities affecting Progress Sitefinity was disclosed, with two rated as critical and three as high severity. These vulnerabilities primarily concern insufficient credential protection and authorization bypass within the web services of the Sitefinity platform.

Two critical vulnerabilities, CVE-2026-7312 (CVSSv3 10.0) and CVE-2026-7198 (CVSSv3 9.8), highlight significant security weaknesses. CVE-2026-7312 involves insufficiently protected credentials in web services, allowing remote unauthenticated attackers to obtain plain-text credentials. This affects multiple version ranges, including 14.0.7700 to 14.4.8152, 15.0.8200 to 15.0.8234, and several subsequent ranges up to 15.4.8630. Similarly, CVE-2026-7198, an improper access control flaw, allows remote unauthenticated attackers to access restricted content, potentially leading to a full compromise of confidentiality, integrity, and availability.

Complementing these critical issues are three high-severity vulnerabilities. CVE-2026-7313 (CVSSv3 8.7) also deals with insufficiently protected credentials, specifically for connecting to the Sitefinity Insight service, affecting versions from 8.0.5700 to 13.3.7652. This requires an active integration with Sitefinity Insight for successful exploitation. Additionally, CVE-2026-7201 (CVSSv3 8.8) is an authorization bypass vulnerability allowing authenticated attackers to modify other users' account properties, potentially leading to account compromise. This impacts versions 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630. Finally, CVE-2026-7195 (CVSSv3 8.8) is an improper input validation vulnerability that can be exploited by remote unauthenticated attackers to compromise the integrity of affected installations, impacting various version ranges including 14.1.x through 14.3.x and specific ranges up to 15.4.8630.

Progress has released patches and advisories addressing these vulnerabilities. Users are strongly advised to consult the official Progress security advisories for specific version information and apply the necessary updates promptly to mitigate the risks associated with these critical and high-severity flaws. The affected versions span a wide range of Sitefinity deployments, emphasizing the broad impact of this disclosure.

This coordinated disclosure event underscores the importance of regular security patching for Progress Sitefinity. The presence of both critical and high-severity issues, including those exploitable by unauthenticated attackers, necessitates immediate attention from administrators to protect their systems from potential compromise.

AI-written article. Grounded in 5 CVE records listed below.