Progress Software released security updates for multiple products, including Progress LoadMaster, Sitefinity CMS, and Sitefinity Insight, warning that the vulnerabilities could expose sensitive information, let attackers modify other users' account properties, or enable arbitrary code execution. The most severe issues disclosed were CVE-2026-7312, an insufficiently protected credentials flaw in Sitefinity web services rated CVSS 10.0, and CVE-2026-8037, a CVSS 9.6 command-injection vulnerability in Progress LoadMaster.
Technical analysis published after the advisory showed that CVE-2026-8037 is a pre-authentication remote code execution flaw in Kemp LoadMaster when its API is enabled, affecting GA v7.2.63.1 and earlier and LTSF v7.2.54.17 and earlier. Researchers said the bug stems from an uninitialized heap buffer and missing null terminator in the escape_quotes() function used by the /accessv2 endpoint, allowing attacker-controlled input to be incorporated into a shell command executed via system(). Progress patched the issue in v7.2.63.2 by replacing malloc() with calloc() and adding explicit string termination, and defenders were urged to apply updates as soon as testing is complete.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
watchTowr Labs published a technical analysis detailing how an uninitialized heap buffer and missing null terminator in LoadMaster's access executable could be exploited for pre-authentication remote code execution. The analysis also noted that Progress patched the flaw in version 7.2.63.2.
Progress Software Corporation released security updates to remediate multiple vulnerabilities affecting Progress Sitefinity CMS, Sitefinity Insight, and Progress LoadMaster. The notice specifically highlighted CVE-2026-7312 and CVE-2026-8037 and urged enterprises to deploy patches after testing.
Progress described CVE-2026-8037 as a command injection remote code execution vulnerability in a security advisory. The advisory date is explicitly referenced as June 4, 2026.
A June 2 ZeroPath blog described CVE-2026-7198 as a critical unauthenticated access control bypass in Progress Sitefinity OData Web Services that could let remote attackers access restricted content. The post said Progress disclosed the flaw, identified it as affecting Sitefinity CMS 15.4.8623 through 15.4.8629, and fixed it in version 15.4.8630, with no confirmed active exploitation as of publication.
A June 2 ZeroPath blog described CVE-2026-7312 as a CVSS 10.0 plaintext credential exposure in Progress Sitefinity's OData Web Services that could let unauthenticated attackers retrieve Sitefinity Insight credentials under specific configurations. The post said Progress had disclosed the issue alongside other Sitefinity CVEs in May 2026 and that patched versions were available for affected branches, with no confirmed active exploitation as of June 2.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
cyberveille.ch
Open sourceegfincirt-wpn.azurewebsites.net
Open sourceegfincirt.org.eg
Open sourcezeropath.com
Open sourcezeropath.com
Open sourcezeropath.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.