CVE-2026-7312
Insufficiently Protected Credentials in Progress Sitefinity
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Progress Software Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| progress | sitefinity | From 14.0.7700 (inc) to 14.4.8152 (inc) |
| progress | sitefinity | From 15.0.8200 (inc) to 15.0.8234 (inc) |
| progress | sitefinity | From 15.1.8300 (inc) to 15.1.8335 (inc) |
| progress | sitefinity | From 15.2.8400 (inc) to 15.2.8441 (inc) |
| progress | sitefinity | From 15.3.8500 (inc) to 15.3.8531 (inc) |
| progress | sitefinity | From 15.4.8600 (inc) to 15.4.8630 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CWE-522, involves insufficient protection of credentials in web services within certain versions of Progress Sitefinity. It allows a remote unauthenticated attacker to obtain plain-text credentials that are used to connect to the Sitefinity Insight service. Exploitation requires that the Sitefinity Insight integration is active and that the site configuration is non-default.
How can this vulnerability impact me? :
The impact of this vulnerability is severe because an attacker can remotely access plain-text credentials without authentication. This can lead to unauthorized access to the Sitefinity Insight service, potentially compromising sensitive data and system integrity. The CVSS base score of 10.0 indicates a critical severity with high confidentiality and integrity impacts.