CVE-2026-11903

Summary

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module).

This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.

Affected Software

VendorProductVersion RangeStatus
ProgressMOVEit Transfer2026.0.0 < 2026.0.1affected
ProgressMOVEit Transfer2025.1.0 < 2025.1.4affected
ProgressMOVEit Transfer2025.0.0 < 2025.0.8affected

Weaknesses

  • CWE-79: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References