CVE-2026-0972

Summary

HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.

Note: The title, details, and description of this CVE were corrected post-publishing.

Affected Software

VendorProductVersion RangeStatus
FortraGoAnywhere MFT0 < 7.10.0affected

Weaknesses

  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Workarounds

Reduce access to the system.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References