CVE-2026-7195 PUBLISHED

CWE-20: Improper Input Validation in web services in Progress Sitefinity

Assigner: ProgressSoftware
Reserved: 27.04.2026 Published: 02.06.2026 Updated: 02.06.2026

CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Progress Software
Product	Sitefinity
Versions	Default: unknown affected from 14.1.0 to 14.4.0 (excl.) affected from 14.4.8100 to 14.4.8152 (excl.) affected from 15.0.8200 to 15.0.8234 (excl.) affected from 15.1.8300 to 15.1.8335 (excl.) affected from 15.2.8400 to 15.2.8441 (excl.) affected from 15.3.8500 to 15.3.8531 (excl.) affected from 15.4.8600 to 15.4.8630 (excl.)

References

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026

Problem Types

CWE-20: Improper Input Validation CWE

Impacts

CAPEC-153: Input Data Manipulation