Improper Neutralization of Special Elements in Data Query Logic in MOVEit Transfer - CVE-2026-10698

 

Improper Neutralization of Special Elements in Data Query Logic in MOVEit Transfer - CVE-2026-10698

Published: July 8, 2026


Vulnerability identifier: #VU137154
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-10698
CWE-ID: CWE-943
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Progress Software Corporation
Affected software:
MOVEit Transfer

Detailed vulnerability description

The vulnerability allows a remote user to disclose API tokens belonging to other users in the system.

The vulnerability exists due to improper neutralization of special elements in data query logic in custom reports when executing a custom report. A remote privileged user can execute a custom report to disclose API tokens belonging to other users in the system.


How to mitigate CVE-2026-10698

Install security update from vendor's website.

Sources