汇总 Progress Software 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 SSRF、CSRF与缓冲区溢出 相关,可能在 软件部署与生产负载 场景中带来 应用崩溃与内存损坏 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-7313 | CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization. | [email protected] | 8.7 | 0.03% | 2026-06-02 | 2026-06-04 |
| CVE-2026-7312 | CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration. | [email protected] | 10.0 | 0.03% | 2026-06-02 | 2026-06-04 |
| CVE-2026-7201 | CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users. | [email protected] | 8.8 | 0.13% | 2026-06-02 | 2026-06-04 |
| CVE-2026-7198 | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations. | [email protected] | 9.8 | 0.18% | 2026-06-02 | 2026-06-04 |
| CVE-2026-7195 | CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration. | [email protected] | 8.8 | 0.02% | 2026-06-02 | 2026-06-04 |
| CVE-2026-8488 | Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | [email protected] | 4.3 | 0.18% | 2026-05-20 | 2026-05-21 |
| CVE-2026-8487 | Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | [email protected] | 6.5 | 0.11% | 2026-05-20 | 2026-05-21 |
| CVE-2026-8486 | Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | [email protected] | 5.3 | 0.17% | 2026-05-20 | 2026-05-21 |
| CVE-2026-8485 | Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | [email protected] | 5.9 | 0.01% | 2026-05-20 | 2026-05-20 |
| CVE-2026-5174 | Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | [email protected] | 7.7 | 0.06% | 2026-04-30 | 2026-05-04 |
| CVE-2026-4670 | Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | [email protected] | 9.8 | 0.21% | 2026-04-30 | 2026-05-04 |
| CVE-2026-6023 | In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible. | [email protected] | 8.1 | 0.04% | 2026-04-22 | 2026-05-05 |
| CVE-2026-6022 | In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion. | [email protected] | 7.5 | 0.11% | 2026-04-22 | 2026-05-05 |
| CVE-2026-4048 | OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process. | [email protected] | 8.4 | 0.02% | 2026-04-20 | 2026-05-01 |
| CVE-2026-3519 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command | [email protected] | 8.4 | 0.03% | 2026-04-20 | 2026-05-01 |
| CVE-2026-3518 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command | [email protected] | 8.4 | 0.20% | 2026-04-20 | 2026-05-01 |
| CVE-2026-3517 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command | [email protected] | 8.4 | 0.27% | 2026-04-20 | 2026-05-01 |
| CVE-2026-3692 | In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server. | [email protected] | 8.7 | 0.04% | 2026-04-02 | 2026-04-07 |
| CVE-2026-2737 | A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session. | [email protected] | 8.5 | 0.00% | 2026-04-02 | 2026-04-21 |
| CVE-2026-2701 | Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution. | [email protected] | 9.1 | 1.01% | 2026-04-02 | 2026-04-21 |