SB2026070875 - Multiple vulnerabilities in MOVEit Transfer



SB2026070875 - Multiple vulnerabilities in MOVEit Transfer

Published: July 8, 2026

Security Bulletin ID SB2026070875
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Memory leak (CVE-ID: CVE-2026-10699)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a temporary denial of service.

The vulnerability exists due to missing release of memory after effective lifetime in the SFTP service when handling SFTP connections. A remote attacker can consume server memory resources to cause a temporary denial of service.

The issue occurs when memory resources on the server are exhausted.


2) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-10698)

CWE-ID: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose API tokens belonging to other users in the system.

The vulnerability exists due to improper neutralization of special elements in data query logic in custom reports when executing a custom report. A remote privileged user can execute a custom report to disclose API tokens belonging to other users in the system.


3) Cross-site scripting (CVE-ID: CVE-2026-11903)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the recipient's browser.

The vulnerability exists due to cross-site scripting in the Ad Hoc module when processing crafted messages. A remote user can send a crafted message to execute arbitrary JavaScript in the recipient's browser.


Remediation

Install update from vendor's website.