Description
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
Published: 2026-06-02
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in the web services of Progress Sitefinity allows a remote, unauthenticated attacker to compromise the integrity and confidentiality of user accounts. The flaw can be used to alter or view account information, with the attacker requiring user interaction and the site to be configured in a non‑default mode.

Affected Systems

The vulnerability affects Progress Software Sitefinity versions 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630. These affected releases are listed in the advisory and are vulnerable when the web services are exposed through a non‑default configuration.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.8, indicating high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector involves remote interaction with the vulnerable web services; exploitation requires the target to be accessible via the web and to have a configuration that enables the affected endpoints. While the score indicates significant impact, the absence of EPSS data and KEV listing suggests that exploitation may be less widespread at present, yet the combination of high severity and remote unauthenticated access warrants immediate attention.

Generated by OpenCVE AI on June 2, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sitefinity to at least version 14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441, 15.3.8531, or 15.4.8630, or later, as recommended by the advisory.
  • If an upgrade cannot be performed immediately, ensure the instance is using the default configuration and disable or restrict access to the vulnerable web services to remove the required user interaction pathway.
  • Apply network controls such as firewall or WAF rules to block requests to the vulnerable endpoints until the application is patched or the configuration is hardened.

Generated by OpenCVE AI on June 2, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
Title CWE-20: Improper Input Validation in web services in Progress Sitefinity
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-02T16:05:47.896Z

Reserved: 2026-04-27T13:49:22.749Z

Link: CVE-2026-7195

cve-icon Vulnrichment

Updated: 2026-06-02T16:05:43.816Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:17:14.073

Modified: 2026-06-02T14:48:39.190

Link: CVE-2026-7195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:45:06Z

Weaknesses