High severity8.8NVD Advisory· Published Jun 2, 2026· Updated Jun 4, 2026
CVE-2026-7201
CVE-2026-7201
Description
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Affected products
2cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*range: >=15.2.8400,<15.2.8441
- (no CPE)range: <15.2.8441, <15.3.8531, <15.4.8630
Patches
Vulnerability mechanics
References
1News mentions
1- Progress Sitefinity: Five CVEs Disclosed, Two Critical, on June 2ndVypr Intelligence · Jun 2, 2026