Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
550 vulnerabilities by progress
CERTFR-2026-AVI-0856
Vulnerability from certfr_avis - Published: 2026-07-10 - Updated: 2026-07-10
De multiples vulnérabilités ont été découvertes dans Progress MOVEit Transfer. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer | MOVEit Transfer versions 2026.x antérieures à 2026.0.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MOVEit Transfer versions 2026.x ant\u00e9rieures \u00e0 2026.0.2",
"product": {
"name": "MOVEit Transfer",
"vendor": {
"name": "Progress",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-11903",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11903"
},
{
"name": "CVE-2026-10699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10699"
},
{
"name": "CVE-2026-10698",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10698"
}
],
"initial_release_date": "2026-07-10T00:00:00",
"last_revision_date": "2026-07-10T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0856",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-07-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Progress MOVEit Transfer. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Progress MOVEit Transfer",
"vendor_advisories": [
{
"published_at": "2026-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Progress",
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.0.2.html"
}
]
}
CVE-2026-8801 (GCVE-0-2026-8801)
Vulnerability from nvd – Published: 2026-07-08 19:56 – Updated: 2026-07-09 13:36
VLAI
EPSS
VEX
Title
File Extension Restriction Bypass in MOVEit Transfer
Summary
Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).
This issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-46 - Path equivalence: 'filename ' (trailing space)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.4
(semver)
Affected: 0 , < 2025.0.8 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:35:50.871832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:36:42.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"File Upload"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.\u003c/p\u003e"
}
],
"value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-46",
"description": "CWE-46 Path equivalence: \u0027filename \u0027 (trailing space)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:56:03.468Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File Extension Restriction Bypass in MOVEit Transfer",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8801",
"datePublished": "2026-07-08T19:56:03.468Z",
"dateReserved": "2026-05-18T02:43:00.228Z",
"dateUpdated": "2026-07-09T13:36:42.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8800 (GCVE-0-2026-8800)
Vulnerability from nvd – Published: 2026-07-08 19:53 – Updated: 2026-07-09 13:35
VLAI
EPSS
VEX
Title
Cross-Org External Token Metadata accessible to AuditUser role
Summary
Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:35:12.446076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:35:24.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Users"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:53:30.984Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Org External Token Metadata accessible to AuditUser role",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8800",
"datePublished": "2026-07-08T19:53:30.984Z",
"dateReserved": "2026-05-18T02:42:58.378Z",
"dateUpdated": "2026-07-09T13:35:24.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8651 (GCVE-0-2026-8651)
Vulnerability from nvd – Published: 2026-07-08 19:50 – Updated: 2026-07-09 13:32
VLAI
EPSS
VEX
Title
IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer
Summary
Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication bypass by spoofing
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:32:11.324109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:32:24.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"HTTPS"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication bypass by spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:50:43.060Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8651",
"datePublished": "2026-07-08T19:50:43.060Z",
"dateReserved": "2026-05-15T04:28:13.929Z",
"dateUpdated": "2026-07-09T13:32:24.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8650 (GCVE-0-2026-8650)
Vulnerability from nvd – Published: 2026-07-08 19:47 – Updated: 2026-07-09 13:31
VLAI
EPSS
VEX
Title
Authenticated Path Traversal allows MOVEit admins to view arbitrary system files
Summary
Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
4.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative path traversal
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Date Public
2026-07-08 19:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:31:47.057844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:31:57.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Admin Settings"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"datePublic": "2026-07-08T19:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative path traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:47:25.636Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Path Traversal allows MOVEit admins to view arbitrary system files",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8650",
"datePublished": "2026-07-08T19:47:25.636Z",
"dateReserved": "2026-05-15T04:28:13.041Z",
"dateUpdated": "2026-07-09T13:31:57.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8649 (GCVE-0-2026-8649)
Vulnerability from nvd – Published: 2026-07-08 19:41 – Updated: 2026-07-09 13:29
VLAI
EPSS
VEX
Title
Institution scope bypass vulnerability in custom reports
Summary
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:28:38.467051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:29:22.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Custom Reports"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:44:22.665Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Institution scope bypass vulnerability in custom reports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8649",
"datePublished": "2026-07-08T19:41:40.969Z",
"dateReserved": "2026-05-15T04:28:11.755Z",
"dateUpdated": "2026-07-09T13:29:22.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11903 (GCVE-0-2026-11903)
Vulnerability from nvd – Published: 2026-07-08 14:19 – Updated: 2026-07-09 03:55
VLAI
EPSS
VEX
Title
Stored XSS in MOVEit Transfer Ad Hoc module
Summary
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module).
This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-T… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2026.0.0 , < 2026.0.1
(semver)
Affected: 2025.1.0 , < 2025.1.4 (semver) Affected: 2025.0.0 , < 2025.0.8 (semver) |
Date Public
2026-07-08 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T03:55:41.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Ad Hoc"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2026.0.1",
"status": "affected",
"version": "2026.0.0",
"versionType": "semver"
},
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\u003cp\u003eThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.\u003c/p\u003e"
}
],
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\n\nThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:19:16.759Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in MOVEit Transfer Ad Hoc module",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-11903",
"datePublished": "2026-07-08T14:19:16.759Z",
"dateReserved": "2026-06-10T15:50:46.983Z",
"dateUpdated": "2026-07-09T03:55:41.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10699 (GCVE-0-2026-10699)
Vulnerability from nvd – Published: 2026-07-08 14:18 – Updated: 2026-07-08 15:09
VLAI
EPSS
VEX
Title
Memory leak in SFTP service can result in a denial of service in MOVEit Transfer
Summary
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing release of memory after effective lifetime
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-T… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.0.0 , < 2025.0.8
(semver)
Affected: 2025.1.0 , < 2025.1.4 (semver) Affected: 2026.0.0 , < 2026.0.1 (semver) |
Date Public
2026-07-08 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:09:02.289312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:09:09.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Custom Reports"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
},
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2026.0.1",
"status": "affected",
"version": "2026.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
}
],
"value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing release of memory after effective lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:18:00.255Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory leak in SFTP service can result in a denial of service in MOVEit Transfer",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-10699",
"datePublished": "2026-07-08T14:18:00.255Z",
"dateReserved": "2026-06-02T16:42:38.825Z",
"dateUpdated": "2026-07-08T15:09:09.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10698 (GCVE-0-2026-10698)
Vulnerability from nvd – Published: 2026-07-08 14:16 – Updated: 2026-07-09 03:55
VLAI
EPSS
VEX
Title
Table scope bypass vulnerability in custom reports
Summary
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-T… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.0.0 , < 2025.0.8
(semver)
Affected: 2025.1.0 , < 2025.1.4 (semver) Affected: 2026.0.0 , < 2026.0.1 (semver) |
Date Public
2026-07-08 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T03:55:42.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Custom Reports"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
},
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2026.0.1",
"status": "affected",
"version": "2026.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mateusz Mieczkowski"
}
],
"datePublic": "2026-07-08T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:16:25.696Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Table scope bypass vulnerability in custom reports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-10698",
"datePublished": "2026-07-08T14:16:25.696Z",
"dateReserved": "2026-06-02T16:42:37.519Z",
"dateUpdated": "2026-07-09T03:55:42.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9272 (GCVE-0-2026-9272)
Vulnerability from nvd – Published: 2026-07-02 14:02 – Updated: 2026-07-03 03:56
VLAI
EPSS
VEX
Title
Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS
Summary
In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Flowmon-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon ADS |
Affected:
Flowmon ADS 12 versions prior to 12.5.6
(custom)
Affected: Flowmon ADS 13 versions prior to 13.0.5 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T03:56:00.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon ADS",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon ADS 12 versions prior to 12.5.6",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon ADS 13 versions prior to 13.0.5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification."
}
],
"value": "In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T14:02:51.273Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Flowmon-CVE-2026-9272"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-9272",
"datePublished": "2026-07-02T14:02:51.273Z",
"dateReserved": "2026-05-22T10:44:21.456Z",
"dateUpdated": "2026-07-03T03:56:00.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8079 (GCVE-0-2026-8079)
Vulnerability from nvd – Published: 2026-07-02 14:03 – Updated: 2026-07-03 03:56
VLAI
EPSS
VEX
Title
Unintended limited set of actions with elevated privileges may be performed during PDF generation in Progress Flowmon
Summary
In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Flowmon-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon |
Affected:
Flowmon 12 versions prior to 12.5.9
(custom)
Affected: Flowmon 13 versions prior to 13.0.11 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T03:56:03.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon 12 versions prior to 12.5.9",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon 13 versions prior to 13.0.11",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration."
}
],
"value": "In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T14:29:05.830Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Flowmon-CVE-2026-8079"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unintended limited set of actions with elevated privileges may be performed during PDF generation in Progress Flowmon",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8079",
"datePublished": "2026-07-02T14:03:36.018Z",
"dateReserved": "2026-05-07T11:23:34.754Z",
"dateUpdated": "2026-07-03T03:56:03.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7313 (GCVE-0-2026-7313)
Vulnerability from nvd – Published: 2026-06-02 13:09 – Updated: 2026-06-03 03:55
VLAI
EPSS
VEX
Title
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Summary
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.
Severity
8.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE‑522: Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
8.0.5700 , < 13.3.7652
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:41.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "13.3.7652",
"status": "affected",
"version": "8.0.5700",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization."
}
],
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:09:46.916Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7313",
"datePublished": "2026-06-02T13:09:46.916Z",
"dateReserved": "2026-04-28T12:53:37.183Z",
"dateUpdated": "2026-06-03T03:55:41.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7312 (GCVE-0-2026-7312)
Vulnerability from nvd – Published: 2026-06-02 13:09 – Updated: 2026-06-03 12:55
VLAI
EPSS
VEX
Title
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Summary
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE‑522: Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
14.0.7700 , < 14.4.8152
(custom)
Affected: 15.0.8200 , < 15.0.8234 (custom) Affected: 15.1.8300 , < 15.1.8335 (custom) Affected: 15.2.8400 , < 15.2.8441 (custom) Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T03:55:43.776367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:55:14.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "14.4.8152",
"status": "affected",
"version": "14.0.7700",
"versionType": "custom"
},
{
"lessThan": "15.0.8234",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThan": "15.1.8335",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration."
}
],
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:09:06.250Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7312",
"datePublished": "2026-06-02T13:09:06.250Z",
"dateReserved": "2026-04-28T12:53:06.945Z",
"dateUpdated": "2026-06-03T12:55:14.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7201 (GCVE-0-2026-7201)
Vulnerability from nvd – Published: 2026-06-02 13:07 – Updated: 2026-06-02 15:12
VLAI
EPSS
VEX
Title
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
Summary
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
15.2.8400 , < 15.2.8441
(custom)
Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:12:20.415939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:12:26.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users."
}
],
"value": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:07:36.875Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7201",
"datePublished": "2026-06-02T13:07:36.875Z",
"dateReserved": "2026-04-27T13:52:28.344Z",
"dateUpdated": "2026-06-02T15:12:26.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7198 (GCVE-0-2026-7198)
Vulnerability from nvd – Published: 2026-06-02 13:06 – Updated: 2026-06-03 03:55
VLAI
EPSS
VEX
Title
CWE-284: Improper Access Control in web services in Progress Sitefinity
Summary
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
15.4.8623 , < 15.4.8630
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:44.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8623",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations."
}
],
"value": "CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:06:32.425Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-284: Improper Access Control in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7198",
"datePublished": "2026-06-02T13:06:32.425Z",
"dateReserved": "2026-04-27T13:51:51.317Z",
"dateUpdated": "2026-06-03T03:55:44.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7195 (GCVE-0-2026-7195)
Vulnerability from nvd – Published: 2026-06-02 13:04 – Updated: 2026-06-04 03:55
VLAI
EPSS
VEX
Title
CWE-20: Improper Input Validation in web services in Progress Sitefinity
Summary
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
14.1.0 , < 14.4.0
(custom)
Affected: 14.4.8100 , < 14.4.8152 (custom) Affected: 15.0.8200 , < 15.0.8234 (custom) Affected: 15.1.8300 , < 15.1.8335 (custom) Affected: 15.2.8400 , < 15.2.8441 (custom) Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T03:55:42.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "14.4.0",
"status": "affected",
"version": "14.1.0",
"versionType": "custom"
},
{
"lessThan": "14.4.8152",
"status": "affected",
"version": "14.4.8100",
"versionType": "custom"
},
{
"lessThan": "15.0.8234",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThan": "15.1.8335",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration."
}
],
"value": "CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:04:40.341Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-20: Improper Input Validation in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7195",
"datePublished": "2026-06-02T13:04:40.341Z",
"dateReserved": "2026-04-27T13:49:22.749Z",
"dateUpdated": "2026-06-04T03:55:42.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8801 (GCVE-0-2026-8801)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:56 – Updated: 2026-07-09 13:36
VLAI
EPSS
VEX
Title
File Extension Restriction Bypass in MOVEit Transfer
Summary
Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).
This issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-46 - Path equivalence: 'filename ' (trailing space)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.4
(semver)
Affected: 0 , < 2025.0.8 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:35:50.871832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:36:42.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"File Upload"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.\u003c/p\u003e"
}
],
"value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-46",
"description": "CWE-46 Path equivalence: \u0027filename \u0027 (trailing space)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:56:03.468Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File Extension Restriction Bypass in MOVEit Transfer",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8801",
"datePublished": "2026-07-08T19:56:03.468Z",
"dateReserved": "2026-05-18T02:43:00.228Z",
"dateUpdated": "2026-07-09T13:36:42.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8800 (GCVE-0-2026-8800)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:53 – Updated: 2026-07-09 13:35
VLAI
EPSS
VEX
Title
Cross-Org External Token Metadata accessible to AuditUser role
Summary
Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:35:12.446076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:35:24.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Users"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:53:30.984Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Org External Token Metadata accessible to AuditUser role",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8800",
"datePublished": "2026-07-08T19:53:30.984Z",
"dateReserved": "2026-05-18T02:42:58.378Z",
"dateUpdated": "2026-07-09T13:35:24.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8651 (GCVE-0-2026-8651)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:50 – Updated: 2026-07-09 13:32
VLAI
EPSS
VEX
Title
IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer
Summary
Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication bypass by spoofing
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:32:11.324109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:32:24.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"HTTPS"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication bypass by spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:50:43.060Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8651",
"datePublished": "2026-07-08T19:50:43.060Z",
"dateReserved": "2026-05-15T04:28:13.929Z",
"dateUpdated": "2026-07-09T13:32:24.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8650 (GCVE-0-2026-8650)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:47 – Updated: 2026-07-09 13:31
VLAI
EPSS
VEX
Title
Authenticated Path Traversal allows MOVEit admins to view arbitrary system files
Summary
Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
4.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative path traversal
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Date Public
2026-07-08 19:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:31:47.057844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:31:57.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Admin Settings"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"datePublic": "2026-07-08T19:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative path traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:47:25.636Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Path Traversal allows MOVEit admins to view arbitrary system files",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8650",
"datePublished": "2026-07-08T19:47:25.636Z",
"dateReserved": "2026-05-15T04:28:13.041Z",
"dateUpdated": "2026-07-09T13:31:57.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8649 (GCVE-0-2026-8649)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:41 – Updated: 2026-07-09 13:29
VLAI
EPSS
VEX
Title
Institution scope bypass vulnerability in custom reports
Summary
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.1.0 , < 2025.1.3
(semver)
Affected: 0 , < 2025.0.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:28:38.467051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:29:22.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Custom Reports"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.1.3",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Levy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:44:22.665Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Institution scope bypass vulnerability in custom reports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8649",
"datePublished": "2026-07-08T19:41:40.969Z",
"dateReserved": "2026-05-15T04:28:11.755Z",
"dateUpdated": "2026-07-09T13:29:22.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11903 (GCVE-0-2026-11903)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:19 – Updated: 2026-07-09 03:55
VLAI
EPSS
VEX
Title
Stored XSS in MOVEit Transfer Ad Hoc module
Summary
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module).
This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-T… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2026.0.0 , < 2026.0.1
(semver)
Affected: 2025.1.0 , < 2025.1.4 (semver) Affected: 2025.0.0 , < 2025.0.8 (semver) |
Date Public
2026-07-08 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T03:55:41.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Ad Hoc"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2026.0.1",
"status": "affected",
"version": "2026.0.0",
"versionType": "semver"
},
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\u003cp\u003eThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.\u003c/p\u003e"
}
],
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\n\nThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:19:16.759Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in MOVEit Transfer Ad Hoc module",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-11903",
"datePublished": "2026-07-08T14:19:16.759Z",
"dateReserved": "2026-06-10T15:50:46.983Z",
"dateUpdated": "2026-07-09T03:55:41.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10699 (GCVE-0-2026-10699)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:18 – Updated: 2026-07-08 15:09
VLAI
EPSS
VEX
Title
Memory leak in SFTP service can result in a denial of service in MOVEit Transfer
Summary
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing release of memory after effective lifetime
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-T… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.0.0 , < 2025.0.8
(semver)
Affected: 2025.1.0 , < 2025.1.4 (semver) Affected: 2026.0.0 , < 2026.0.1 (semver) |
Date Public
2026-07-08 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:09:02.289312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:09:09.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Custom Reports"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
},
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2026.0.1",
"status": "affected",
"version": "2026.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
}
],
"value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing release of memory after effective lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:18:00.255Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory leak in SFTP service can result in a denial of service in MOVEit Transfer",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-10699",
"datePublished": "2026-07-08T14:18:00.255Z",
"dateReserved": "2026-06-02T16:42:38.825Z",
"dateUpdated": "2026-07-08T15:09:09.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10698 (GCVE-0-2026-10698)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:16 – Updated: 2026-07-09 03:55
VLAI
EPSS
VEX
Title
Table scope bypass vulnerability in custom reports
Summary
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/MOVEit-T… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2025.0.0 , < 2025.0.8
(semver)
Affected: 2025.1.0 , < 2025.1.4 (semver) Affected: 2026.0.0 , < 2026.0.1 (semver) |
Date Public
2026-07-08 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T03:55:42.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Custom Reports"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2025.0.8",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
},
{
"lessThan": "2025.1.4",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
},
{
"lessThan": "2026.0.1",
"status": "affected",
"version": "2026.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mateusz Mieczkowski"
}
],
"datePublic": "2026-07-08T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:16:25.696Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Table scope bypass vulnerability in custom reports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-10698",
"datePublished": "2026-07-08T14:16:25.696Z",
"dateReserved": "2026-06-02T16:42:37.519Z",
"dateUpdated": "2026-07-09T03:55:42.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8079 (GCVE-0-2026-8079)
Vulnerability from cvelistv5 – Published: 2026-07-02 14:03 – Updated: 2026-07-03 03:56
VLAI
EPSS
VEX
Title
Unintended limited set of actions with elevated privileges may be performed during PDF generation in Progress Flowmon
Summary
In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Flowmon-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon |
Affected:
Flowmon 12 versions prior to 12.5.9
(custom)
Affected: Flowmon 13 versions prior to 13.0.11 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T03:56:03.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon 12 versions prior to 12.5.9",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon 13 versions prior to 13.0.11",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration."
}
],
"value": "In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T14:29:05.830Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Flowmon-CVE-2026-8079"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unintended limited set of actions with elevated privileges may be performed during PDF generation in Progress Flowmon",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-8079",
"datePublished": "2026-07-02T14:03:36.018Z",
"dateReserved": "2026-05-07T11:23:34.754Z",
"dateUpdated": "2026-07-03T03:56:03.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9272 (GCVE-0-2026-9272)
Vulnerability from cvelistv5 – Published: 2026-07-02 14:02 – Updated: 2026-07-03 03:56
VLAI
EPSS
VEX
Title
Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS
Summary
In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Flowmon-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Flowmon ADS |
Affected:
Flowmon ADS 12 versions prior to 12.5.6
(custom)
Affected: Flowmon ADS 13 versions prior to 13.0.5 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T03:56:00.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Flowmon ADS",
"vendor": "Progress Software",
"versions": [
{
"status": "affected",
"version": "Flowmon ADS 12 versions prior to 12.5.6",
"versionType": "custom"
},
{
"status": "affected",
"version": "Flowmon ADS 13 versions prior to 13.0.5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification."
}
],
"value": "In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T14:02:51.273Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Flowmon-CVE-2026-9272"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-9272",
"datePublished": "2026-07-02T14:02:51.273Z",
"dateReserved": "2026-05-22T10:44:21.456Z",
"dateUpdated": "2026-07-03T03:56:00.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7313 (GCVE-0-2026-7313)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:09 – Updated: 2026-06-03 03:55
VLAI
EPSS
VEX
Title
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Summary
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.
Severity
8.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE‑522: Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
8.0.5700 , < 13.3.7652
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:41.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "13.3.7652",
"status": "affected",
"version": "8.0.5700",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization."
}
],
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:09:46.916Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7313",
"datePublished": "2026-06-02T13:09:46.916Z",
"dateReserved": "2026-04-28T12:53:37.183Z",
"dateUpdated": "2026-06-03T03:55:41.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7312 (GCVE-0-2026-7312)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:09 – Updated: 2026-06-03 12:55
VLAI
EPSS
VEX
Title
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
Summary
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE‑522: Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
14.0.7700 , < 14.4.8152
(custom)
Affected: 15.0.8200 , < 15.0.8234 (custom) Affected: 15.1.8300 , < 15.1.8335 (custom) Affected: 15.2.8400 , < 15.2.8441 (custom) Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T03:55:43.776367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:55:14.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "14.4.8152",
"status": "affected",
"version": "14.0.7700",
"versionType": "custom"
},
{
"lessThan": "15.0.8234",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThan": "15.1.8335",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration."
}
],
"value": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:09:06.250Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE\u2011522: Insufficiently Protected Credentials in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7312",
"datePublished": "2026-06-02T13:09:06.250Z",
"dateReserved": "2026-04-28T12:53:06.945Z",
"dateUpdated": "2026-06-03T12:55:14.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7201 (GCVE-0-2026-7201)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:07 – Updated: 2026-06-02 15:12
VLAI
EPSS
VEX
Title
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
Summary
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
15.2.8400 , < 15.2.8441
(custom)
Affected: 15.3.8500 , < 15.3.8531 (custom) Affected: 15.4.8600 , < 15.4.8630 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:12:20.415939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:12:26.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "15.2.8441",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
},
{
"lessThan": "15.3.8531",
"status": "affected",
"version": "15.3.8500",
"versionType": "custom"
},
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8600",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users."
}
],
"value": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:07:36.875Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7201",
"datePublished": "2026-06-02T13:07:36.875Z",
"dateReserved": "2026-04-27T13:52:28.344Z",
"dateUpdated": "2026-06-02T15:12:26.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7198 (GCVE-0-2026-7198)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:06 – Updated: 2026-06-03 03:55
VLAI
EPSS
VEX
Title
CWE-284: Improper Access Control in web services in Progress Sitefinity
Summary
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://community.progress.com/s/article/Sitefini… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software | Sitefinity |
Affected:
15.4.8623 , < 15.4.8630
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:44.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "15.4.8630",
"status": "affected",
"version": "15.4.8623",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations."
}
],
"value": "CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:06:32.425Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CWE-284: Improper Access Control in web services in Progress Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-7198",
"datePublished": "2026-06-02T13:06:32.425Z",
"dateReserved": "2026-04-27T13:51:51.317Z",
"dateUpdated": "2026-06-03T03:55:44.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}