Search criteria
177 vulnerabilities
CVE-2026-8037 (GCVE-0-2026-8037)
Vulnerability from cvelistv5 – Published: 2026-06-04 13:13 – Updated: 2026-06-05 03:55
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
V7.2.60.0 , < V7.2.63.2
(custom)
Affected: V7.2.45.12 , < V7.2.54.18 (custom) |
|
| Progress Software | ECS Connections Manager |
Affected:
V7.2.60.0 , < V7.2.63.2
(custom)
|
|
| Progress Software | Object Scale Connection Manager |
Affected:
V7.2.60.0 , < V7.2.63.2
(custom)
|
|
| Progress Software | MOVEit WAF |
Affected:
V7.2.60.0 , < V7.2.63.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T03:55:49.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.2",
"status": "affected",
"version": "V7.2.60.0",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.18",
"status": "affected",
"version": "V7.2.45.12",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.2",
"status": "affected",
"version": "V7.2.60.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.2",
"status": "affected",
"version": "V7.2.60.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.2",
"status": "affected",
"version": "V7.2.60.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jacky Yang and Syed Ibrahim Ahmed of TrendAI Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker exploits unsanitized input in the LoadMaster API command endpoints to inject arbitrary OS commands, resulting in full remote code execution on the appliance."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T13:13:45.793Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ehtml text\u003c/div\u003e"
}
],
"value": "plain text"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8037",
"datePublished": "2026-06-04T13:13:45.793Z",
"dateReserved": "2026-05-06T13:35:25.608Z",
"dateUpdated": "2026-06-05T03:55:49.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7313 (GCVE-0-2026-7313)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:09 – Updated: 2026-06-03 03:55
VLAI
Title
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Summary
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.
Severity
8.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE‑522: Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
8.0.5700 , < 13.3.7652
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:41.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "13.3.7652",
"status": "affected",
"version": "8.0.5700",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization."
}
],
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:09:46.916Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7313",
"datePublished": "2026-06-02T13:09:46.916Z",
"dateReserved": "2026-04-28T12:53:37.183Z",
"dateUpdated": "2026-06-03T03:55:41.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7312 (GCVE-0-2026-7312)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:09 – Updated: 2026-06-03 12:55
VLAI
Title
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Summary
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE‑522: Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
14.0.7700 , < 14.4.8152
(custom)
Affected: 15.0.8200 , < 15.0.8234 (custom) Affected: 15.1.8300 , < 15.1.8335 (custom) Affected: 15.2.8400 , < 15.2.8441 (custom) Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T03:55:43.776367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:55:14.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "14.4.8152",
"status": "affected",
"version": "14.0.7700",
"versionType": "custom"
},
{
"lessThan": "15.0.8234",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThan": "15.1.8335",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration."
}
],
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:09:06.250Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7312",
"datePublished": "2026-06-02T13:09:06.250Z",
"dateReserved": "2026-04-28T12:53:06.945Z",
"dateUpdated": "2026-06-03T12:55:14.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7201 (GCVE-0-2026-7201)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:07 – Updated: 2026-06-02 15:12
VLAI
Title
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
Summary
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
15.2.8400 , < 15.2.8441
(custom)
Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:12:20.415939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:12:26.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users."
}
],
"value": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:07:36.875Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7201",
"datePublished": "2026-06-02T13:07:36.875Z",
"dateReserved": "2026-04-27T13:52:28.344Z",
"dateUpdated": "2026-06-02T15:12:26.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7198 (GCVE-0-2026-7198)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:06 – Updated: 2026-06-03 03:55
VLAI
Title
CWE-284: Improper Access Control in web services in Progress Sitefinity
Summary
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
15.4.8623 , < 15.4.8630
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:44.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8623",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations."
}
],
"value": "CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:06:32.425Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-284: Improper Access Control in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7198",
"datePublished": "2026-06-02T13:06:32.425Z",
"dateReserved": "2026-04-27T13:51:51.317Z",
"dateUpdated": "2026-06-03T03:55:44.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7195 (GCVE-0-2026-7195)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:04 – Updated: 2026-06-04 03:55
VLAI
Title
CWE-20: Improper Input Validation in web services in Progress Sitefinity
Summary
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
14.1.0 , < 14.4.0
(custom)
Affected: 14.4.8100 , < 14.4.8152 (custom) Affected: 15.0.8200 , < 15.0.8234 (custom) Affected: 15.1.8300 , < 15.1.8335 (custom) Affected: 15.2.8400 , < 15.2.8441 (custom) Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T03:55:42.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "14.4.0",
"status": "affected",
"version": "14.1.0",
"versionType": "custom"
},
{
"lessThan": "14.4.8152",
"status": "affected",
"version": "14.4.8100",
"versionType": "custom"
},
{
"lessThan": "15.0.8234",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThan": "15.1.8335",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration."
}
],
"value": "CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:04:40.341Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-20: Improper Input Validation in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7195",
"datePublished": "2026-06-02T13:04:40.341Z",
"dateReserved": "2026-04-27T13:49:22.749Z",
"dateUpdated": "2026-06-04T03:55:42.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8488 (GCVE-0-2026-8488)
Vulnerability from cvelistv5 – Published: 2026-05-20 14:14 – Updated: 2026-05-20 15:29
VLAI
Title
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation
Summary
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of resources without limits or throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.progress.com/bundle/moveit-automatio… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | MOVEit Automation |
Affected:
0 , < 2025.0.11
(semver)
Affected: 2025.1.0 , < 2025.1.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:29:46.662981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:29:52.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Automation",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2025.0.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2025.1.7",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab"
},
{
"lang": "en",
"type": "finder",
"value": "Ana\u00efs Gantet"
},
{
"lang": "en",
"type": "finder",
"value": "Delphine Gourdou"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell"
},
{
"lang": "en",
"type": "finder",
"value": "Matteo Ricordeau"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.\u003cp\u003eThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.\u003c/p\u003e"
}
],
"value": "Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.\n\nThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of resources without limits or throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:14:54.861Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8488",
"datePublished": "2026-05-20T14:14:54.861Z",
"dateReserved": "2026-05-13T14:50:42.310Z",
"dateUpdated": "2026-05-20T15:29:52.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8487 (GCVE-0-2026-8487)
Vulnerability from cvelistv5 – Published: 2026-05-20 14:12 – Updated: 2026-05-20 15:30
VLAI
Title
Incorrect default permissions vulnerability in Progress Software MOVEit Automation
Summary
Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.progress.com/bundle/moveit-automatio… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | MOVEit Automation |
Affected:
0 , < 2025.0.11
(semver)
Affected: 2025.1.0 , < 2025.1.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:30:05.094888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:30:11.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Automation",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2025.0.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2025.1.7",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab"
},
{
"lang": "en",
"type": "finder",
"value": "Ana\u00efs Gantet"
},
{
"lang": "en",
"type": "finder",
"value": "Delphine Gourdou"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell"
},
{
"lang": "en",
"type": "finder",
"value": "Matteo Ricordeau"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.\u003c/p\u003e"
}
],
"value": "Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.\n\nThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:12:03.406Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect default permissions vulnerability in Progress Software MOVEit Automation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8487",
"datePublished": "2026-05-20T14:12:03.406Z",
"dateReserved": "2026-05-13T14:50:41.621Z",
"dateUpdated": "2026-05-20T15:30:11.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8486 (GCVE-0-2026-8486)
Vulnerability from cvelistv5 – Published: 2026-05-20 14:11 – Updated: 2026-05-20 15:30
VLAI
Title
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation
Summary
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of resources without limits or throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.progress.com/bundle/moveit-automatio… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | MOVEit Automation |
Affected:
0 , < 2025.0.11
(semver)
Affected: 2025.1.0 , < 2025.1.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:30:23.392021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:30:29.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Automation",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2025.0.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2025.1.7",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab"
},
{
"lang": "en",
"type": "finder",
"value": "Ana\u00efs Gantet"
},
{
"lang": "en",
"type": "finder",
"value": "Delphine Gourdou"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell"
},
{
"lang": "en",
"type": "finder",
"value": "Matteo Ricordeau"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding.\u003cp\u003eThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.\u003c/p\u003e"
}
],
"value": "Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding.\n\nThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of resources without limits or throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:11:30.771Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8486",
"datePublished": "2026-05-20T14:11:30.771Z",
"dateReserved": "2026-05-13T14:50:40.357Z",
"dateUpdated": "2026-05-20T15:30:29.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8485 (GCVE-0-2026-8485)
Vulnerability from cvelistv5 – Published: 2026-05-20 14:06 – Updated: 2026-05-20 14:24
VLAI
Title
Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation
Summary
Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Uncontrolled Memory Allocation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.progress.com/bundle/moveit-automatio… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | MOVEit Automation |
Affected:
0 , < 2025.0.11
(semver)
Affected: 2025.1.0 , < 2025.1.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:24:42.780536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:24:51.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Automation",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2025.0.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2025.1.7",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab"
},
{
"lang": "en",
"type": "finder",
"value": "Ana\u00efs Gantet"
},
{
"lang": "en",
"type": "finder",
"value": "Delphine Gourdou"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell"
},
{
"lang": "en",
"type": "finder",
"value": "Matteo Ricordeau"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.\u003cp\u003eThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.\u003c/p\u003e"
}
],
"value": "Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.\n\nThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Uncontrolled Memory Allocation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:06:57.546Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8485",
"datePublished": "2026-05-20T14:06:57.546Z",
"dateReserved": "2026-05-13T14:50:39.764Z",
"dateUpdated": "2026-05-20T14:24:51.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5174 (GCVE-0-2026-5174)
Vulnerability from cvelistv5 – Published: 2026-04-30 15:07 – Updated: 2026-05-01 15:24
VLAI
Title
Improper Access Control Vulnerability in Progress MOVEit Automation
Summary
Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation.
This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-A… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | MOVEit Automation |
Affected:
2025.1.0 , < 2025.1.5
(semver)
Affected: 2025.0.0 , < 2025.0.9 (semver) Affected: 2024.0.0 , < 2024.1.8 (semver) Affected: 0 , < 2024.0.0 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T03:55:59.615853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T15:24:46.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Automation",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2025.1.5",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.9",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
},
{
"lessThan": "2024.1.8",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab"
},
{
"lang": "en",
"type": "finder",
"value": "Ana\u00efs Gantet"
},
{
"lang": "en",
"type": "finder",
"value": "Delphine Gourdou"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell"
},
{
"lang": "en",
"type": "finder",
"value": "Matteo Ricordeau"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8\u003cspan\u003e, versions prior to 2024.0.0.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation.\n\nThis issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T15:07:21.589Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Access Control Vulnerability in Progress MOVEit Automation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-5174",
"datePublished": "2026-04-30T15:07:21.589Z",
"dateReserved": "2026-03-30T17:29:05.971Z",
"dateUpdated": "2026-05-01T15:24:46.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4670 (GCVE-0-2026-4670)
Vulnerability from cvelistv5 – Published: 2026-04-30 15:06 – Updated: 2026-05-01 03:55
VLAI
Title
Improper Authentication vulnerability in Progress MOVEit Automation
Summary
Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.
This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication bypass by primary weakness
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-A… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | MOVEit Automation |
Affected:
2025.0.0 , < 2025.0.9
(semver)
Affected: 2024.0.0 , < 2024.1.8 (semver) Affected: 0 , < 2024.0.0 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T03:55:57.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Automation",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2025.0.9",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
},
{
"lessThan": "2024.1.8",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab"
},
{
"lang": "en",
"type": "finder",
"value": "Ana\u00efs Gantet"
},
{
"lang": "en",
"type": "finder",
"value": "Delphine Gourdou"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell"
},
{
"lang": "en",
"type": "finder",
"value": "Matteo Ricordeau"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.\u003cp\u003eThis issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.\u003c/p\u003e"
}
],
"value": "Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.\n\nThis issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication bypass by primary weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T15:06:11.600Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Authentication vulnerability in Progress MOVEit Automation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-4670",
"datePublished": "2026-04-30T15:06:11.600Z",
"dateReserved": "2026-03-23T18:04:32.645Z",
"dateUpdated": "2026-05-01T03:55:57.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6023 (GCVE-0-2026-6023)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:13 – Updated: 2026-04-23 03:56
VLAI
Title
Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX
Summary
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.telerik.com/products/aspnet-ajax/docu… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Telerik UI for ASP.NET AJAX |
Affected:
2024.4.1114 , < 2026.1.421
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:56:12.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Telerik UI for ASP.NET AJAX",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2026.1.421",
"status": "affected",
"version": "2024.4.1114",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.\u003c/p\u003e"
}
],
"value": "In Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:13:07.933Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-6023",
"datePublished": "2026-04-22T07:13:07.933Z",
"dateReserved": "2026-04-09T15:47:27.389Z",
"dateUpdated": "2026-04-23T03:56:12.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6022 (GCVE-0-2026-6022)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:07 – Updated: 2026-04-22 12:28
VLAI
Title
Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX
Summary
In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.telerik.com/products/aspnet-ajax/docu… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Telerik UI for ASP.NET AJAX |
Affected:
2011.2.712 , < 2026.1.421
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:25:41.076779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:28:18.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Telerik UI for ASP.NET AJAX",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2026.1.421",
"status": "affected",
"version": "2011.2.712",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Monetary Authority of Singapore"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Progress\u00ae Telerik\u00ae UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.\u003c/p\u003e"
}
],
"value": "In Progress\u00ae Telerik\u00ae UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion."
}
],
"impacts": [
{
"capecId": "CAPEC-572",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-572 Artificially Inflate File Sizes"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:07:30.795Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-6022",
"datePublished": "2026-04-22T07:07:30.795Z",
"dateReserved": "2026-04-09T15:47:25.214Z",
"dateUpdated": "2026-04-22T12:28:18.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4048 (GCVE-0-2026-4048)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:36 – Updated: 2026-04-22 03:55
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Summary
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
V7.1.20.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | ECS Connections Manager |
Affected:
V7.2.49.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | Object Scale Connection Manager |
Affected:
V7.2.62.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | MOVEit WAF |
Affected:
V7.2.62.0 , < V7.2.63.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:54.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.1.20.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process."
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:36:49.475Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-4048",
"datePublished": "2026-04-20T13:36:49.475Z",
"dateReserved": "2026-03-12T12:17:05.403Z",
"dateUpdated": "2026-04-22T03:55:54.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3519 (GCVE-0-2026-3519)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:32 – Updated: 2026-04-22 03:55
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
V7.2.45.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | ECS Connections Manager |
Affected:
V7.2.49.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | Object Scale Connection Manager |
Affected:
V7.2.62.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | MOVEit WAF |
Affected:
V7.2.62.0 , < V7.2.63.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:53.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.45.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cVS Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027aclcontrol\u0027 command"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cVS Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027aclcontrol\u0027 command"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:32:50.259Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3519",
"datePublished": "2026-04-20T13:32:50.259Z",
"dateReserved": "2026-03-04T15:10:17.159Z",
"dateUpdated": "2026-04-22T03:55:53.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3518 (GCVE-0-2026-3518)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:29 – Updated: 2026-04-22 03:55
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
V7.2.37.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | ECS Connections Manager |
Affected:
V7.2.49.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | Object Scale Connection Manager |
Affected:
V7.2.62.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | MOVEit WAF |
Affected:
V7.2.62.0 , < V7.2.63.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:52.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.37.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Argany of TrendAI Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027killsession\u0027 command"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027killsession\u0027 command"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:29:33.794Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3518",
"datePublished": "2026-04-20T13:29:33.794Z",
"dateReserved": "2026-03-04T15:10:16.116Z",
"dateUpdated": "2026-04-22T03:55:52.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3517 (GCVE-0-2026-3517)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:22 – Updated: 2026-04-22 03:55
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
7.1.32.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | ECS Connections Manager |
Affected:
7.2.49.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | Object Scale Connection Manager |
Affected:
7.2.62.0 , < V7.2.63.0
(custom)
|
|
| Progress Software | MOVEit WAF |
Affected:
7.2.62.0 , < V7.2.63.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:51.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.1.32.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.2.62.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Argany of TrendAI Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027addcountry\u0027 command"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027addcountry\u0027 command"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:22:54.867Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3517",
"datePublished": "2026-04-20T13:22:54.867Z",
"dateReserved": "2026-03-04T15:10:14.967Z",
"dateUpdated": "2026-04-22T03:55:51.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8095 (GCVE-0-2025-8095)
Vulnerability from cvelistv5 – Published: 2026-04-14 13:13 – Updated: 2026-04-15 03:58
VLAI
Title
Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge
Summary
The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software Corporation | OpenEdge |
Affected:
12.2.0 , ≤ 12.2.18
(custom)
Affected: 12.8.0 , ≤ 12.8.9 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T03:58:13.601Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"OpenEdge Platform Prefix Encodings"
],
"platforms": [
"Windows",
"Linux",
"64 bit",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "12.2.18",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.8.9",
"status": "affected",
"version": "12.8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thomas Riedmaier, Siemens Energy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cspan\u003eThe OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u0026nbsp;It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u0026nbsp;OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u00a0It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u00a0OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:Y/V:D/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:13:43.739Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-8095",
"datePublished": "2026-04-14T13:13:43.739Z",
"dateReserved": "2025-07-23T16:36:12.176Z",
"dateUpdated": "2026-04-15T03:58:13.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7389 (GCVE-0-2025-7389)
Vulnerability from cvelistv5 – Published: 2026-04-14 13:12 – Updated: 2026-04-14 14:04
VLAI
Title
Unauthorized Arbitrary File Read via RMI in AdminServer Interface
Summary
A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server
through the adopted authority of the AdminServer process itself. The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile()
methods exposed through the RMI interface. Misuse was limited only by OS-level authority of the AdminServer's elevated
privileges granted and the user's access to these methods enabled through RMI. The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software Corporation | OpenEdge |
Affected:
OpenEdge 12.2.0 , ≤ 12.2.9
(custom)
Affected: OpenEdge 12.8.0 , ≤ 12.2.18 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:01:57.322738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:04:52.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"OpenEdge AdminServer"
],
"platforms": [
"Windows",
"Linux",
"64 bit",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "12.2.9",
"status": "affected",
"version": "OpenEdge 12.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.18",
"status": "affected",
"version": "OpenEdge 12.8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thomas Riedmaier, Siemens Energy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the \u003ccode\u003eAdminServer\u003c/code\u003e component of OpenEdge on all supported platforms grants its authenticated users\u0026nbsp;OS-level access to the server\nthrough the adopted authority of the AdminServer process itself.\u0026nbsp; The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the \u003ccode\u003esetFile()\u003c/code\u003e and \u003ccode\u003eopenFile()\u003c/code\u003e\n methods exposed through the RMI interface.\u0026nbsp; Misuse was limited only by OS-level authority of the AdminServer\u0027s elevated \nprivileges granted and the user\u0027s access to these methods enabled through RMI.\u0026nbsp; The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry."
}
],
"value": "A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users\u00a0OS-level access to the server\nthrough the adopted authority of the AdminServer process itself.\u00a0 The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile()\n methods exposed through the RMI interface.\u00a0 Misuse was limited only by OS-level authority of the AdminServer\u0027s elevated \nprivileges granted and the user\u0027s access to these methods enabled through RMI.\u00a0 The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry."
}
],
"impacts": [
{
"capecId": "CAPEC-497",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-497"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:12:54.559Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/Important-Arbitrary-File-Ready-Security-Update-for-OpenEdge-AdminServer"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized Arbitrary File Read via RMI in AdminServer Interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-7389",
"datePublished": "2026-04-14T13:12:54.559Z",
"dateReserved": "2025-07-09T13:01:22.716Z",
"dateUpdated": "2026-04-14T14:04:52.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2737 (GCVE-0-2026-2737)
Vulnerability from cvelistv5 – Published: 2026-04-02 13:28 – Updated: 2026-04-03 03:55
VLAI
Title
Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application
Summary
A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/CVE-2026… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon |
Affected:
Flowmon 12 versions prior to 12.5.8
(custom)
Affected: Flowmon 13 versions prior to 13.0.6 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:29.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon 12 versions prior to 12.5.8",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon 13 versions prior to 13.0.6",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session."
}
],
"value": "A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:28:41.825Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/CVE-2026-2737-Progress-Flowmon"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-2737",
"datePublished": "2026-04-02T13:28:41.825Z",
"dateReserved": "2026-02-19T09:21:34.082Z",
"dateUpdated": "2026-04-03T03:55:29.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3692 (GCVE-0-2026-3692)
Vulnerability from cvelistv5 – Published: 2026-04-02 13:27 – Updated: 2026-04-03 03:55
VLAI
Title
Unintended command execution during report generation in Progress Flowmon
Summary
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/CVE-2026… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon |
Affected:
Flowmon 12 versions prior to 12.5.8
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:27.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon 12 versions prior to 12.5.8",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server."
}
],
"value": "In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:27:45.684Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/CVE-2026-3692-Progress-Flowmon"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unintended command execution during report generation in Progress Flowmon",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3692",
"datePublished": "2026-04-02T13:27:45.684Z",
"dateReserved": "2026-03-07T06:47:25.022Z",
"dateUpdated": "2026-04-03T03:55:27.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2701 (GCVE-0-2026-2701)
Vulnerability from cvelistv5 – Published: 2026-04-02 13:04 – Updated: 2026-04-03 03:55
VLAI
Title
RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC)
Summary
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.sharefile.com/en-us/storage-zones-co… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | ShareFile Storage Zones Controller |
Affected:
0 , ≤ 5.12.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:26.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShareFile Storage Zones Controller",
"vendor": "Progress",
"versions": [
{
"lessThanOrEqual": "5.12.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Piotr Bazydlo of watchTowr"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution."
}
],
"value": "Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows an authenticated user to upload a malicious file to the server and execute it, potentially leading to remote code execution."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:04:38.554Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text",
"value": "Reset the secret and password using custom tool provided by ShareFile"
}
],
"value": "Reset the secret and password using custom tool provided by ShareFile"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-2701",
"datePublished": "2026-04-02T13:04:38.554Z",
"dateReserved": "2026-02-18T17:20:44.202Z",
"dateUpdated": "2026-04-03T03:55:26.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2699 (GCVE-0-2026-2699)
Vulnerability from cvelistv5 – Published: 2026-04-02 13:04 – Updated: 2026-04-08 15:25
VLAI
Title
EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC)
Summary
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://docs.sharefile.com/en-us/storage-zones-co… | vendor-advisory |
| https://github.com/watchtowrlabs/watchTowr-vs-Pro… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | ShareFile Storage Zones Controller |
Affected:
0 , ≤ 5.12.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:24.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/watchtowrlabs/watchTowr-vs-Progress-ShareFile-CVE-2026-2699"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShareFile Storage Zones Controller",
"vendor": "Progress",
"versions": [
{
"lessThanOrEqual": "5.12.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sonny of watchTowr"
},
{
"lang": "en",
"type": "finder",
"value": "h4x0r_dz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution."
}
],
"value": "Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-698",
"description": "CWE-698: Execution After Redirect (EAR)",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:25:21.185Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text",
"value": "Harden the Storage Zones Controller access using IIS or use a firewall to block network access to the Storage Zones Controller administration pages from untrusted sources."
}
],
"value": "Harden the Storage Zones Controller access using IIS or use a firewall to block network access to the Storage Zones Controller administration pages from untrusted sources."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-2699",
"datePublished": "2026-04-02T13:04:00.485Z",
"dateReserved": "2026-02-18T16:18:30.153Z",
"dateUpdated": "2026-04-08T15:25:21.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2514 (GCVE-0-2026-2514)
Vulnerability from cvelistv5 – Published: 2026-03-12 13:00 – Updated: 2026-03-13 03:55
VLAI
Title
Possibility of unintended actions when viewing maliciously crafted network data in Progress Flowmon ADS web application
Summary
In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/CVE-2026… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon ADS |
Affected:
Flowmon ADS 12 versions prior to 12.5.5
(custom)
Affected: Flowmon ADS 13 versions prior to 13.0.3 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T03:55:43.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon ADS",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon ADS 12 versions prior to 12.5.5",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon ADS 13 versions prior to 13.0.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user\u0027s browser context."
}
],
"value": "In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user\u0027s browser context."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T13:00:27.353Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/CVE-2026-2514-Progress-Flowmon-ADS"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possibility of unintended actions when viewing maliciously crafted network data in Progress Flowmon ADS web application",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-2514",
"datePublished": "2026-03-12T13:00:27.353Z",
"dateReserved": "2026-02-14T09:56:25.024Z",
"dateUpdated": "2026-03-13T03:55:43.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2513 (GCVE-0-2026-2513)
Vulnerability from cvelistv5 – Published: 2026-03-12 12:58 – Updated: 2026-03-13 03:55
VLAI
Title
Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon ADS web application
Summary
A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/CVE-2026… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon ADS |
Affected:
Flowmon ADS 12 versions prior to 12.5.5
(custom)
Affected: Flowmon ADS 13 versions prior to 13.0.3 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2513",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T03:55:42.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon ADS",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon ADS 12 versions prior to 12.5.5",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon ADS 13 versions prior to 13.0.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session."
}
],
"value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T12:58:59.894Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/CVE-2026-2513-Progress-Flowmon-ADS"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon ADS web application",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-2513",
"datePublished": "2026-03-12T12:58:59.894Z",
"dateReserved": "2026-02-14T09:56:23.317Z",
"dateUpdated": "2026-03-13T03:55:42.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2878 (GCVE-0-2026-2878)
Vulnerability from cvelistv5 – Published: 2026-02-25 14:45 – Updated: 2026-02-27 17:06
VLAI
Title
Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX
Summary
In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.telerik.com/products/aspnet-ajax/docu… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Telerik UI for ASP.NET AJAX |
Affected:
2011.2.712 , < 2026.1.225
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:06:09.729072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:06:16.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Telerik UI for ASP.NET AJAX",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2026.1.225",
"status": "affected",
"version": "2011.2.712",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Monetary Authority of Singapore"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering."
}
],
"value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering."
}
],
"impacts": [
{
"capecId": "CAPEC-149",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-149 Explore for Predictable Temporary File Names"
}
]
},
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26 Leveraging Race Conditions"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:45:11.142Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-2878",
"datePublished": "2026-02-25T14:45:11.142Z",
"dateReserved": "2026-02-20T16:20:51.770Z",
"dateUpdated": "2026-02-27T17:06:16.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6723 (GCVE-0-2025-6723)
Vulnerability from cvelistv5 – Published: 2026-01-30 14:09 – Updated: 2026-03-11 14:30
VLAI
Title
Untrusted user data can lead to privilege escalation
Summary
Chef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption.
This issue affects Chef Inspec: through 5.23 and before 7.0.107
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.chef.io/inspec/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Chef Inspec |
Affected:
0 , ≤ <=5.23, <7.0.107
(customer on-prem)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:43:58.090397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T14:44:30.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/inspec/inspec",
"defaultStatus": "affected",
"modules": [
"train",
"API"
],
"packageName": "train",
"platforms": [
"Windows",
"MacOS",
"Linux",
"x86",
"32 bit",
"64 bit"
],
"product": "Chef Inspec",
"programFiles": [
"https://github.com/inspec/inspec"
],
"repo": "https://github.com/inspec/inspec",
"vendor": "Progress Software",
"versions": [
{
"lessThanOrEqual": "\u003c=5.23, \u003c7.0.107",
"status": "affected",
"version": "0",
"versionType": "customer on-prem"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yuval Gordon, Akamai"
},
{
"lang": "en",
"type": "reporter",
"value": "Maayan Shaul, Microsoft"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eChef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption.\u003c/p\u003e\u003cp\u003eThis issue affects Chef Inspec: through 5.23 and before 7.0.107\u003c/p\u003e"
}
],
"value": "Chef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption.\n\nThis issue affects Chef Inspec: through 5.23 and before 7.0.107"
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:30:44.870Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.chef.io/inspec/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Untrusted user data can lead to privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-6723",
"datePublished": "2026-01-30T14:09:41.182Z",
"dateReserved": "2025-06-26T14:24:52.468Z",
"dateUpdated": "2026-03-11T14:30:44.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13447 (GCVE-0-2025-13447)
Vulnerability from cvelistv5 – Published: 2026-01-13 14:31 – Updated: 2026-02-26 15:04
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
| https://community.progress.com/s/article/ECS-Conn… | vendor-advisory |
| https://community.progress.com/s/article/Connecti… | vendor-advisory |
| https://community.progress.com/s/article/MOVEit-W… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
7.2.50 , < V7.2.62.2
(custom)
Affected: 7.1.32 , < V7.2.62.2 (custom) Affected: 7.2.37 , < V7.2.62.2 (custom) Affected: 7.2.39 , < V7.2.62.2 (custom) Affected: 7.2.50 , < V7.2.54.16 (custom) Affected: 7.1.32 , < V7.2.54.16 (custom) Affected: 7.2.37 , < V7.2.54.16 (custom) Affected: 7.2.39 , < V7.2.54.16 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T04:57:19.495084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:45.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"LoadMaster Appliance",
"MOVEit WAF Appliance",
"ECS Appliance",
"ObjectScale Appliance"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
},
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.1.32",
"versionType": "custom"
},
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.37",
"versionType": "custom"
},
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.39",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.1.32",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.37",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.39",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Converge Technology Solutions working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:31:56.911Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-13447",
"datePublished": "2026-01-13T14:31:56.911Z",
"dateReserved": "2025-11-19T19:18:13.816Z",
"dateUpdated": "2026-02-26T15:04:45.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13444 (GCVE-0-2025-13444)
Vulnerability from cvelistv5 – Published: 2026-01-13 14:26 – Updated: 2026-02-26 15:04
VLAI
Title
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/LoadMast… | vendor-advisory |
| https://community.progress.com/s/article/ECS-Conn… | vendor-advisory |
| https://community.progress.com/s/article/Connecti… | vendor-advisory |
| https://community.progress.com/s/article/MOVEit-W… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | LoadMaster |
Affected:
7.2.50 , < V7.2.62.2
(custom)
Affected: 7.2.50 , < V7.2.54.16 (custom) |
|
| Progress Software | Multi Tenant LoadMaster |
Affected:
7.2.39 , < V7.1.35.15
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T04:57:18.478535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:46.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"LoadMaster Appliance",
"MOVEit WAF Appliance",
"ECS Appliance",
"ObjectScale Appliance"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Multi Tenant LoadMaster"
],
"product": "Multi Tenant LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.1.35.15",
"status": "affected",
"version": "7.2.39",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Converge Technology Solutions working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:26:50.661Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-13444",
"datePublished": "2026-01-13T14:26:50.661Z",
"dateReserved": "2025-11-19T19:14:26.777Z",
"dateUpdated": "2026-02-26T15:04:46.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}