Improper Neutralization of Special Elements in Data Query Logic in MOVEit Transfer - CVE-2026-10698
Published: July 8, 2026
MOVEit Transfer
Detailed vulnerability description
The vulnerability allows a remote user to disclose API tokens belonging to other users in the system.
The vulnerability exists due to improper neutralization of special elements in data query logic in custom reports when executing a custom report. A remote privileged user can execute a custom report to disclose API tokens belonging to other users in the system.