VYPR

Vendor CVEs

Progress (organisation)

All CVEs

218 total · sorted by risk
  • CVE-2017-11357CriKEVAug 23, 2017
    risk 0.91cvss 9.8epss 0.76

    Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

  • CVE-2017-11317CriKEVAug 23, 2017
    risk 0.85cvss 9.8epss 0.83

    Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

  • CVE-2017-9248CriKEVJul 3, 2017
    risk 0.85cvss 9.8epss 0.75

    Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection…

  • CVE-2015-8261CriJan 8, 2016
    risk 0.67cvss 9.8epss 0.04

    The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.

  • CVE-2026-2699CriApr 2, 2026
    risk 0.66cvss 9.8epss 0.49

    Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

  • CVE-2026-7312CriJun 2, 2026
    risk 0.65cvss 10.0epss 0.00

    CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote…

  • CVE-2026-7198CriJun 2, 2026
    risk 0.64cvss 9.8epss 0.00

    CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected…

  • CVE-2026-4670CriApr 30, 2026
    risk 0.64cvss 9.8epss 0.06

    Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

  • CVE-2017-15883CriJan 8, 2018
    risk 0.64cvss 9.8epss 0.02

    Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.

  • CVE-2015-9245CriOct 31, 2017
    risk 0.64cvss 9.8epss 0.02

    Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.

  • CVE-2026-8037CriJun 4, 2026
    risk 0.62cvss 9.6epss 0.02

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

  • CVE-2025-8095CriApr 14, 2026
    risk 0.59cvss epss 0.00

    The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced…

  • CVE-2026-2701CriApr 2, 2026
    risk 0.59cvss 9.1epss 0.49

    Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

  • CVE-2013-10036HigJul 31, 2025
    risk 0.58cvss epss 0.00

    A stack-based buffer overflow vulnerability exists in Beetel Connection Manager version PCW_BTLINDV1.0.0B04 when parsing the UserName parameter in the NetConfig.ini configuration file. A crafted .ini file containing an overly long UserName value can overwrite the Structured…

  • CVE-2026-7313HigJun 2, 2026
    risk 0.57cvss 8.7epss 0.00

    CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active…

  • CVE-2026-7201HigJun 2, 2026
    risk 0.57cvss 8.8epss 0.00

    CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading…

  • CVE-2026-7195HigJun 2, 2026
    risk 0.57cvss 8.8epss 0.00

    CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote…

  • CVE-2026-3692HigApr 2, 2026
    risk 0.57cvss 8.8epss 0.00

    In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.

  • CVE-2025-48082HigOct 22, 2025
    risk 0.57cvss 8.8epss 0.00

    Incorrect Privilege Assignment vulnerability in Progress Planner Progress Planner progress-planner allows Privilege Escalation.This issue affects Progress Planner: from n/a through <= 1.8.0.

  • CVE-2025-10240HigOct 9, 2025
    risk 0.57cvss 8.8epss 0.00

    A vulnerability exists in the Progress Flowmon web application prior to version 12.5.5, whereby a user who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated session.

  • CVE-2017-18179HigFeb 12, 2018
    risk 0.57cvss 8.8epss 0.03

    Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.

  • CVE-2016-1000000HigOct 6, 2016
    risk 0.57cvss 8.8epss 0.01

    Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection

  • CVE-2025-10703HigNov 19, 2025
    risk 0.56cvss epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the…

  • CVE-2025-10702HigNov 19, 2025
    risk 0.56cvss epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the…

  • CVE-2026-4048HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.02

    OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file…

  • CVE-2026-3519HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.02

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

  • CVE-2026-3518HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.03

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

  • CVE-2026-3517HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.18

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry'…

  • CVE-2025-7388HigSep 4, 2025
    risk 0.55cvss 8.4epss 0.01

    It was possible to perform Remote Command Execution (RCE) via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated authority of the AdminServer process.  An RMI interface permitted manipulation of a…

  • CVE-2026-6023HigApr 22, 2026
    risk 0.53cvss 8.1epss 0.01

    In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code…

  • CVE-2026-28034HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Progress progress allows PHP Local File Inclusion.This issue affects Progress: from n/a through <= 1.2.

  • CVE-2026-5174HigApr 30, 2026
    risk 0.50cvss 7.7epss 0.03

    Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

  • CVE-2025-1968HigApr 9, 2025
    risk 0.50cvss 7.7epss 0.00

    Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from…

  • CVE-2026-6022HigApr 22, 2026
    risk 0.49cvss 7.5epss 0.00

    In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk…

  • CVE-2023-29929HigAug 21, 2024
    risk 0.49cvss 7.5epss 0.01

    Buffer Overflow vulnerability found in Kemptechnologies Loadmaster before v.7.2.60.0 allows a remote attacker to casue a denial of service via the libkemplink.so, isreverse library.

  • CVE-2018-17055HigSep 28, 2018
    risk 0.49cvss 7.5epss 0.01

    An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.

  • CVE-2017-1000026HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.02

    Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using ".." in tar archive entries

  • CVE-2025-10239HigOct 9, 2025
    risk 0.47cvss 7.2epss 0.00

    In Flowmon versions prior to 12.5.5, a vulnerability has been identified that allows a user with administrator privileges and access to the management interface to execute additional unintended commands within scripts intended for troubleshooting purposes.

  • CVE-2015-6005MedDec 27, 2015
    risk 0.45cvss 6.9epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor…

  • CVE-2025-11906MedOct 30, 2025
    risk 0.44cvss 6.7epss 0.00

    A vulnerability exists in Progress Flowmon versions prior 12.5.6 where certain system configuration files have incorrect file permissions, allowing a user with access to the default flowmon system user account used for SSH access to potentially escalate privileges to root during…

  • CVE-2026-8487MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

  • CVE-2024-9999MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.

  • CVE-2015-6004MedDec 27, 2015
    risk 0.42cvss 6.5epss 0.02

    Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.

  • CVE-2026-2737MedApr 2, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.

  • CVE-2018-17054MedOct 3, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053.

  • CVE-2018-17053MedOct 3, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054.

  • CVE-2018-17056MedSep 28, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2018-14037MedSep 28, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the…

  • CVE-2017-18178MedFeb 12, 2018
    risk 0.40cvss 6.1epss 0.02

    Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.

  • CVE-2017-9140MedMay 22, 2017
    risk 0.40cvss 6.1epss 0.10

    Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to…

Page 1 of 5