CVE-2026-1089 | THREATINT

Description

User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.

PUBLISHED Reserved 2026-01-16 | Published 2026-04-21 | Updated 2026-04-21 | Assigner Fortra

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Problem types

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

Default status

unaffected

Any version before 7.10.0

affected

References

www.fortra.com/...ty/advisories/product-security/fi-2026-005

cve.org (CVE-2026-1089)

nvd.nist.gov (CVE-2026-1089)

Download JSON