CVE-2026-7195: Progress Sitefinity Input Validation Flaw Enables Account Compromise
A flaw in Progress Sitefinity's web services allows an unauthenticated attacker to compromise user accounts—stealing login credentials and modifying account data—by exploiting improper input validation. The attack requires tricking a user into interacting with a malicious request and relies on non-standard site configuration, making it a credible but not universally threatening risk. Multiple versions from 14.1 through 15.4 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7195 is a CWE-20 input validation bypass in Progress Sitefinity web services. The vulnerability permits remote, unauthenticated account compromise through a vector that requires user interaction (CVSS UI:R). The attack surface is the network-accessible web service layer; successful exploitation grants unauthorized access to user account integrity and confidentiality. Affected versions span three major releases (14.x and 15.x) across multiple patch levels. Non-default site configuration is a prerequisite, suggesting the flaw manifests under specific middleware or integration setups rather than out-of-box installations.
Business impact
Account compromise of Sitefinity end-users poses immediate confidentiality and integrity risks. Attackers gain the ability to impersonate legitimate users, access sensitive data within user profiles, and potentially modify or delete content. For organizations running Sitefinity-powered portals, intranets, or customer-facing sites, this translates to reputational damage, regulatory reporting obligations (GDPR, CCPA, etc.), and loss of customer trust. The need for user interaction—typically via social engineering—extends the attack timeline and reduces the likelihood of mass exploitation, but does not eliminate the risk for targeted campaigns.
Affected systems
Progress Sitefinity versions 14.1.x through 15.4.x are in scope, with specific vulnerable ranges: 14.1.x–14.3.x (all), 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630. Organizations must verify their exact patch level and site configuration. Sitefinity instances deployed in non-default configurations (custom authentication schemes, third-party integrations, or custom web service endpoints) are most likely to be vulnerable.
Exploitability
Exploitability is moderate-to-high. The flaw requires no authentication and is reachable over the network, but exploitation mandates user interaction—typically a user clicking a malicious link or submitting a crafted request. The non-default configuration requirement further narrows the practical target set. No publicly known active exploitation has been reported. The barrier to weaponization is low for attackers with knowledge of vulnerable site configurations, but detection and blocking are feasible via web application firewalls tuned to recognize invalid input patterns in affected service endpoints.
Remediation
Apply vendor patches to reach patched versions: 14.4.8152 or later (14.4.x), 15.0.8234 or later (15.0.x), 15.1.8335 or later (15.1.x), 15.2.8441 or later (15.2.x), 15.3.8531 or later (15.3.x), and 15.4.8630 or later (15.4.x). For versions 14.1.x and 14.3.x, upgrade to a supported version if available; consult Progress support for extended support or backport options. Interim controls include restricting network access to Sitefinity web services, disabling non-essential service endpoints, and implementing input validation rules at the WAF or API gateway layer.
Patch guidance
Progress has released patch versions for all affected branches; check the vendor advisory for exact build numbers and download links. Plan patching in a phased approach: prioritize production instances first, then staging and development. Verify patch installation by confirming the build number post-update. Test affected web service functionality in a non-production environment before production deployment to rule out compatibility issues with custom integrations. Patch availability and deployment windows should be coordinated with any dependent applications or third-party services consuming Sitefinity APIs.
Detection guidance
Monitor web service endpoints for malformed or unexpected input patterns, particularly in authentication and account-related service calls. Implement input validation logging and alerting at the application or API gateway level. Hunt for account access anomalies: unusual login locations, failed authentication attempts followed by successful access from different IPs, and account modifications by non-owner principals. Review access logs for suspicious patterns targeting non-default web service endpoints. Organizations using Sitefinity intrusion detection or WAF rules should enable or update CWE-20 specific signatures; consult Sitefinity security documentation for recommended rule sets.
Why prioritize this
Although user interaction is required, account compromise severity is high, affecting confidentiality and integrity of critical identity data. The broad version range (14.1.x through 15.4.x) and the prevalence of Sitefinity in enterprise portal environments elevate organizational exposure. Non-default configuration requirement should not defer patching—many production Sitefinity deployments employ custom configurations. Patch availability and relative ease of application make this a strong candidate for expedited remediation within a 30–60 day window.
Risk score, explained
CVSS 8.8 (HIGH) reflects high-impact account compromise (C:H, I:H, A:H) via a network-accessible service without authentication (AV:N, PR:N). User interaction (UI:R) and non-default configuration constraints lower the score from critical but do not reduce the underlying severity. The absence of scope elevation (S:U) indicates the impact is confined to the user's account rather than lateral system compromise. For security leaders, this score warrants prompt patching and interim controls, but does not demand emergency response procedures.
Frequently asked questions
Does this vulnerability require authentication to exploit?
No. The vulnerability is reachable by unauthenticated remote attackers. However, successful exploitation requires user interaction—typically the victim clicking a malicious link or submitting a crafted request—and a non-default site configuration, which limits the pool of exploitable systems.
Will patching require downtime or break existing integrations?
Patching should require no extended downtime if done during a maintenance window. However, because custom web service configurations and third-party integrations are common in Sitefinity deployments, thoroughly test patches in a staging environment before production deployment to identify any compatibility issues.
What should I do if I cannot patch immediately?
Implement interim controls: restrict network access to Sitefinity web services, disable non-essential endpoints, deploy WAF rules to detect and block malformed input to affected endpoints, and monitor for account access anomalies. These measures reduce exploitability while you plan patch deployment.
Is this vulnerability in the CISA KEV catalog?
No, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of the last update. However, lack of KEV status does not indicate low risk; prioritize based on CVSS, affected asset count, and your site configuration.
This analysis is based on vendor disclosures and CVSS metrics current as of the publication date. Verify patch availability, version applicability, and site-specific impact with the Progress Sitefinity vendor advisory and your internal security team. No exploit code or weaponized proof-of-concept is provided. Organizations must perform their own testing and risk assessment relative to their deployment architecture and business context. SEC.co provides this intelligence for informational purposes and recommends engagement with your vendor and security team before implementing any remediation. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)