Every CVE whose affected-product data names Progress Sitefinity, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (24)
CVE-2026-7312 — CVSS 10.0 (critical): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200…
CVE-2017-15883 — CVSS 9.8 (critical): Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial…
CVE-2019-17392 — CVSS 9.8 (critical): Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.
CVE-2023-29375 — CVSS 9.8 (critical): An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930…
CVE-2026-7198 — CVSS 9.8 (critical): CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker…
CVE-2024-1632 — CVSS 8.8 (high): Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
CVE-2026-7201 — CVSS 8.8 (high): CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before…
CVE-2017-18179 — CVSS 8.8 (high): Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a…
CVE-2026-7195 — CVSS 8.8 (high): CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before…
CVE-2026-7313 — CVSS 8.7 (high): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote…
CVE-2024-11626 — CVSS 8.4 (high): Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting')…
CVE-2024-11625 — CVSS 7.7 (high): Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from…
CVE-2018-17055 — CVSS 7.5 (high): An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.
CVE-2019-7215 — CVSS 6.5 (medium): Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser…
CVE-2017-18178 — CVSS 6.1 (medium): Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target…
CVE-2017-18175 — CVSS 5.4 (medium): Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src…
CVE-2023-29376 — CVSS 5.4 (medium): An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930…
CVE-2023-27636 — CVSS 5.4 (medium): Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
CVE-2017-18177 — CVSS 5.4 (medium): Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
CVE-2017-18176 — CVSS 5.4 (medium): Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code…
CVE-2023-6784 — CVSS 4.7 (medium): A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.