SB2026070875 - Multiple vulnerabilities in MOVEit Transfer
Published: July 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Memory leak (CVE-ID: CVE-2026-10699)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a temporary denial of service.
The vulnerability exists due to missing release of memory after effective lifetime in the SFTP service when handling SFTP connections. A remote attacker can consume server memory resources to cause a temporary denial of service.
The issue occurs when memory resources on the server are exhausted.
2) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-10698)
CWE-ID: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose API tokens belonging to other users in the system.
The vulnerability exists due to improper neutralization of special elements in data query logic in custom reports when executing a custom report. A remote privileged user can execute a custom report to disclose API tokens belonging to other users in the system.
3) Cross-site scripting (CVE-ID: CVE-2026-11903)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the recipient's browser.
The vulnerability exists due to cross-site scripting in the Ad Hoc module when processing crafted messages. A remote user can send a crafted message to execute arbitrary JavaScript in the recipient's browser.
Remediation
Install update from vendor's website.