Critical Progress Sitefinity flaws expose credentials and restricted content
Progress released security updates for Sitefinity CMS, Sitefinity Insight, and Kemp LoadMaster, with the most urgent attention on multiple severe Sitefinity web-service vulnerabilities affecting versions from 8.0 through 15.4. The Canadian Centre for Cyber Security flagged the vendor advisories and urged administrators to review Progress bulletins and apply patches. Among the Sitefinity issues, CVE-2026-7312 carries a CVSS 10.0 rating and can let an unauthenticated attacker obtain plaintext credentials used for Sitefinity Insight connections when that integration is enabled in a non-default configuration, while CVE-2026-7198 is rated CVSS 9.8 and allows unauthenticated access to restricted content in affected 15.4 deployments.
Additional Sitefinity flaws include CVE-2026-7201, an authorization bypass that can let an authenticated low-privilege user modify other users' account properties, and CVE-2026-7313, which exposes Insight credentials to authenticated back-end users under specific configurations. Progress published patched releases including 15.4.8630, 15.3.8531, 15.2.8441, 15.1.8335, 15.0.8234, 14.4.8152, and 13.3.7652, and warned that delaying remediation leaves OData and related web services open to unauthorized exploitation. The broader advisory set also includes two vulnerabilities affecting Progress Kemp LoadMaster.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ZDI discloses critical LoadMaster RCE CVE-2026-8037
On 2026-06-09, ZDI disclosed CVE-2026-8037, a critical unauthenticated remote code execution flaw in Progress Kemp LoadMaster's accessv2 endpoint involving the apiuser parameter. The advisory said Progress released an update to remediate the issue, and credited Syed Ibrahim Ahmed of TrendAI Research for the finding.
Progress publishes security updates for Sitefinity and LoadMaster
Between June 2 and June 4, 2026, Progress published security updates addressing critical vulnerabilities in Sitefinity CMS, Sitefinity Insight, and Progress Kemp LoadMaster. The updates covered multiple Sitefinity CVEs and two LoadMaster CVEs, with patched Sitefinity releases issued for supported branches.
Canadian Centre for Cyber Security issues advisory AV26-552
On June 5, 2026, the Cyber Centre issued advisory AV26-552 highlighting Progress security updates published between June 2 and 4. The advisory urged administrators to review Progress bulletins and apply patches for affected Sitefinity and LoadMaster versions.
Progress receives multiple Sitefinity vulnerability reports
Several Sitefinity vulnerabilities, including CVE-2026-7201, CVE-2026-7312, and CVE-2026-7198, were received by security@progress.com on June 2, 2026. The reported issues included authorization bypass, improper access control, and exposure of plaintext credentials in Sitefinity web services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Critical Sitefinity Vulnerabilities: CVSS 10.0 Security Alert
securityonline.info
Open sourceProgress security advisory (AV26-552) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-7201 - CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
cvefeed.io
Open sourceCVE-2026-7198 - CWE-284: Improper Access Control in web services in Progress Sitefinity
cvefeed.io
Open sourceCVE-2026-7313 - CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
cvefeed.io
Open sourceCVE-2026-7312 - CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
cvefeed.io
Open sourceZDI-26-342 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Progress Kemp LoadMaster Flaws Enable Remote Code Execution on Network Appliances
Progress Software disclosed and patched serious vulnerabilities in **Kemp LoadMaster** that could let attackers compromise load balancers deployed at the core of enterprise networks. The most prominent issue, tracked as **`CVE-2026-8037`**, was described in public advisories as affecting API methods including `dodelapikey` and `dolistapikeys`, where improper handling of memory could allow remote code execution after authentication, in some cases with **root** or administrator-level impact. Separate reporting also characterized `CVE-2026-8037` as a critical API command-injection issue that could permit arbitrary command execution and full administrative control of the appliance. Progress released updates to address the flaws, including patched firmware versions **`v7.2.63.2`** and **`v7.2.54.18`**, and said the fixes also apply to **ECS Connection Manager** and **Connection Manager for ObjectScale**. A second vulnerability, **`CVE-2026-33691`**, affects the **OWASP CRS** handling of multipart requests by failing to normalize whitespace in filenames, creating a path to bypass firewall extension checks. Security researchers credited in the disclosures include **Syed Ibrahim Ahmed** and **Jacky Yang** of TrendAI Research, and defenders were urged to patch quickly because compromise of internet-facing load balancers could provide a foothold for deeper intrusion into enterprise environments.
Jun 10, 2026
Progress LoadMaster API Flaws Enable Authenticated OS Command Injection
Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including **LoadMaster**, **ECS Connection Manager**, **Object Scale Connection Manager**, and **MOVEit WAF**. The issues, tracked as `CVE-2026-3517` and `CVE-2026-3519`, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as `CWE-77` and carry a `CVSS v3.1` vector of `AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. `CVE-2026-3517` allows an attacker with **Geo Administration** permissions to exploit the `addcountry` command, while `CVE-2026-3519` requires **VS Administration** permissions to abuse the `aclcontrol` command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.
Apr 22, 2026
January 2026 Patch Cycle Highlights Multiple High-Severity Vulnerabilities Across OpenStack, Microsoft Windows, and Progress Appliances
Multiple vendors issued fixes for **high-impact vulnerabilities** that could enable privilege escalation, tenant-wide compromise, security feature bypass, or remote code execution. OpenStack patched **CVE-2026-22797** in *keystonemiddleware* affecting deployments using `external_oauth2_token`, where failure to sanitize incoming identity headers allows authenticated users to forge headers (e.g., `X-Is-Admin-Project`, `X-Roles`, `X-User-Id`) to **escalate privileges or impersonate other users**; fixes were released across supported branches and the issue was reported by a Red Hat researcher. Microsoft patched **CVE-2026-20965** in *Windows Admin Center*’s Azure SSO (fixed in Azure Extension **v0.70.00**), where improper token validation could let an attacker with local admin on a WAC-enabled Azure VM/Arc machine combine a stolen `WAC.CheckAccess` token with a forged PoP token to enable **lateral movement and tenant-wide access** under certain conditions. Separately, Microsoft addressed **CVE-2026-20824** in *Windows Remote Assistance*, an **Important** security feature bypass that can allow attackers to evade **Mark of the Web (MOTW)** protections via social engineering. Progress Software also released patches for **CVE-2025-13444** and **CVE-2025-13447** (CVSS 8.4) affecting *LoadMaster* and *MOVEit WAF*, where crafted UI/API requests can trigger **command injection leading to remote code execution**; the vendor stated it had no evidence of in-the-wild exploitation at the time of release.
Mar 21, 2026