Progress security advisory (AV26-552) – Update 1
Serial number: AV26-552 Date: June 5, 2026 Updated: July 2, 2026 Between June 2 and 4, 2026, Progress published security advisories to address vulnerabilities in the following products. Included was a critical update for the following: Sitefinity CMS and Sitefinity Insight – multiple versions Progress Kemp LoadMaster – version GA v7.2.63.1 and prior Progress Kemp LoadMaster - version LTSF v7.2.54.17 and prior Update 1 Open-source reporting indicates that CVE-2026-8037 is being exploited in the wild. The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary updates. Sitefinity Security Advisory for Addressing Security Vulnerabilities CVE-2026-7312, CVE-2026-7198, CVE-2026-7195, CVE-2026-7201, CVE-2026-7313, May 2026 LoadMaster Critical Security Bulletin – June 2026 – (CVE-2026-8037, CVE-2026-33691) Progress Trust Center
CSIRTS triage
- What
- Critical vulnerabilities have been reported in Sitefinity CMS and LoadMaster.
- Who is affected
- Users and administrators of Sitefinity CMS and LoadMaster versions mentioned.
- Urgency
- Remediation is urgent due to the critical nature of the vulnerabilities and reports of exploitation.
- Action
- Apply the necessary updates as per the security advisories.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Sitefinity CMS and LoadMaster
Get an email when a new Sitefinity CMS and LoadMaster advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cyber.gc.ca/en/alerts-advisories/progress-security-advisory-av26-552
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Elevated exploitation riskCVE-2026-803729.6% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 98% of all scored CVEs.
- Low exploitation riskCVE-2026-73120.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
- Low exploitation riskCVE-2026-71980.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 36% of all scored CVEs.
- Low exploitation riskCVE-2026-71950.47% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2026-72010.35% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 27% of all scored CVEs.
- Low exploitation riskCVE-2026-73130.32% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 24% of all scored CVEs.
- Moderate exploitation riskCVE-2026-336912.2% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 80% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-8037 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7312 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7198 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7195 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7201 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7313 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-33691 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- critical[UPDATE] [critical] Kemp LoadMaster: Multiple vulnerabilitiescert-bund
More from Canadian Centre for Cyber Security
- unknownBitWarden security advisory (AV26-683)2026-07-10
- criticalAL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 12026-07-10
- unknownMicrosoft Edge security advisory (AV26-682)2026-07-10
- criticalBroadcom VMware security advisory (AV26-681)2026-07-10
- unknownDjango security advisory (AV26-084) – Update 12026-07-09