HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-7195Published Modified CNA ProgressSoftware

CVE-2026-7195: CWE-20: Improper Input Validation in web services in Progress Sitefinity

CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
14.4.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Improper input validation in the web services layer of Progress Sitefinity allows a remote, unauthenticated attacker to compromise user account integrity and confidentiality. The vulnerability is reachable over the network and requires a victim to interact with attacker-controlled content, along with a non-default site configuration. Successful exploitation gives an attacker read and write access to user account data. Patched-image rebuilds at versions 14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441, and 14.4.0 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-7195 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including internally built Sitefinity-based images. Coverage extends to custom images derived from affected base layers.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and is capable of weighting that score against each environment's compliance policy to determine escalation priority. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at each fixed version (14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441) becomes available on HarborGuard once the upstream fix is confirmed for an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Sitefinity web services endpoint over the network; the service must be externally or internally accessible to initiate the attack.

  • AuthenticationNot required

    No credentials or account are needed; the attacker can interact with the vulnerable endpoint as an anonymous user.

  • Victim interactionRequired

    A user must interact with attacker-controlled content (for example, visiting a crafted link or page) for the attack to succeed.

  • Attack complexityDetail

    Exploit conditions are low-complexity and reliable once the non-default site configuration requirement is met, with no race conditions or environmental factors required.

Blast Radius

  • Reads stored user account data including credentials, session tokens, or profile information.
  • Modifies user account records, enabling account takeover or privilege escalation within Sitefinity.
  • Compromises the confidentiality of any data scoped to affected user accounts in the CMS.
  • Integrity of user-controlled content and access controls within the Sitefinity site may be altered by the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7195 activates immediately on ingestion of the advisory, matching all images in connected registries against the affected Sitefinity version ranges (14.1.x through 14.3.x, and specific 14.4.x, 15.0.x, 15.1.x, and 15.2.x builds). Where a customer image is confirmed affected, a patched rebuild at the appropriate fix version becomes available. For customers who opt into auto-remediation, the typical flow is a rebuilt image, a regression test run, and a pull request opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.8 HIGH scoring and recommended fix versions so engineering teams can act directly. Because exploitation requires a non-default site configuration, customers can also use HarborGuard policy rules to flag images with that configuration pattern as elevated priority pending patch application.

See how HarborGuard automates this

Fix available

14.4.014.4.815215.0.823415.1.833515.2.844115.3.853115.4.8630
Affected packages
  • Progress Software / Sitefinity
    < 14.4.0 (from 14.1.0) · < 14.4.8152 (from 14.4.8100) · < 15.0.8234 (from 15.0.8200) · < 15.1.8335 (from 15.1.8300) · < 15.2.8441 (from 15.2.8400) · < 15.3.8531 (from 15.3.8500)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References