CVE-2026-0972 | THREATINT

Description

HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.

PUBLISHED Reserved 2026-01-14 | Published 2026-04-21 | Updated 2026-04-22 | Assigner Fortra

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

Default status

affected

Any version before 7.10.0

affected

Credits

Philipp Schweinzer (SBA Research) https://www.sba-research.org/ reporter

References

www.fortra.com/...ty/advisories/product-security/fi-2026-006

cve.org (CVE-2026-0972)

nvd.nist.gov (CVE-2026-0972)

Download JSON