{"api_version":"1","generated_at":"2026-06-03T21:14:14+00:00","cve":"CVE-2026-7195","urls":{"html":"https://cve.report/CVE-2026-7195","api":"https://cve.report/api/cve/CVE-2026-7195.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-7195","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-7195"},"summary":{"title":"CWE-20: Improper Input Validation in web services in Progress Sitefinity","description":"CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.","state":"PUBLISHED","assigner":"ProgressSoftware","published_at":"2026-06-02 14:17:14","updated_at":"2026-06-02 14:48:39"},"problem_types":["CWE-20","CWE-20 CWE-20: Improper Input Validation"],"metrics":[{"version":"3.1","source":"security@progress.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026","name":"https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026","refsource":"security@progress.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-7195","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7195","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 14.1.0 14.4.0 custom","platforms":[]},{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 14.4.8100 14.4.8152 custom","platforms":[]},{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 15.0.8200 15.0.8234 custom","platforms":[]},{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 15.1.8300 15.1.8335 custom","platforms":[]},{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 15.2.8400 15.2.8441 custom","platforms":[]},{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 15.3.8500 15.3.8531 custom","platforms":[]},{"source":"CNA","vendor":"Progress Software","product":"Sitefinity","version":"affected 15.4.8600 15.4.8630 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unknown","product":"Sitefinity","vendor":"Progress Software","versions":[{"lessThan":"14.4.0","status":"affected","version":"14.1.0","versionType":"custom"},{"lessThan":"14.4.8152","status":"affected","version":"14.4.8100","versionType":"custom"},{"lessThan":"15.0.8234","status":"affected","version":"15.0.8200","versionType":"custom"},{"lessThan":"15.1.8335","status":"affected","version":"15.1.8300","versionType":"custom"},{"lessThan":"15.2.8441","status":"affected","version":"15.2.8400","versionType":"custom"},{"lessThan":"15.3.8531","status":"affected","version":"15.3.8500","versionType":"custom"},{"lessThan":"15.4.8630","status":"affected","version":"15.4.8600","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration."}],"value":"CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration."}],"impacts":[{"capecId":"CAPEC-153","descriptions":[{"lang":"en","value":"CAPEC-153: Input Data Manipulation"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20: Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-02T13:04:40.341Z","orgId":"f9fea0b6-671e-4eea-8fde-31911902ae05","shortName":"ProgressSoftware"},"references":[{"tags":["vendor-advisory"],"url":"https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"}],"source":{"discovery":"INTERNAL"},"title":"CWE-20: Improper Input Validation in web services in Progress Sitefinity","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"f9fea0b6-671e-4eea-8fde-31911902ae05","assignerShortName":"ProgressSoftware","cveId":"CVE-2026-7195","datePublished":"2026-06-02T13:04:40.341Z","dateReserved":"2026-04-27T13:49:22.749Z","dateUpdated":"2026-06-02T13:04:40.341Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-02 14:17:14","lastModifiedDate":"2026-06-02 14:48:39","problem_types":["CWE-20","CWE-20 CWE-20: Improper Input Validation"],"metrics":{"cvssMetricV31":[{"source":"security@progress.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"7195","Ordinal":"1","Title":"CWE-20: Improper Input Validation in web services in Progress Si","CVE":"CVE-2026-7195","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"7195","Ordinal":"1","NoteData":"CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.","Type":"Description","Title":"CWE-20: Improper Input Validation in web services in Progress Si"}]}}}