CVE-2026-7201

HIGH EPSS 26.7%

Published Jun 2, 20263w ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published Jun 2, 2026 3w ago

Last Modified Jun 17, 2026 1w ago

Description

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

26.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-639

Affected Products 3

Vendor	Product	Version	Range
progress	sitefinity	*	≥15.2.8400 – <15.2.8441
progress	sitefinity	*	≥15.3.8500 – <15.3.8531
progress	sitefinity	*	≥15.4.8600 – <15.4.8630

References 1

community.progress.com https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.