{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0972", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2026-01-14T23:07:29.797Z", "datePublished": "2026-04-21T14:14:38.146Z", "dateUpdated": "2026-04-22T18:55:20.563Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-22T18:55:20.563Z"}, "title": "HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.\n\n\nNote: The title, details, and description of this CVE were corrected post-publishing.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.<div><br></div><div>Note: The title, details, and description of this CVE were corrected post-publishing.</div>"}]}], "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2026-006"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "workarounds": [{"lang": "en", "value": "Reduce access to the system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Reduce access to the system."}]}], "solutions": [{"lang": "en", "value": "Upgrade to patched version (7.10.0 or later).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade to patched version (7.10.0 or later)."}]}], "credits": [{"lang": "en", "value": "Philipp Schweinzer (SBA Research) https://www.sba-research.org/", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:27:17.226262Z", "id": "CVE-2026-0972", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:27:23.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:27:17.226262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:27:20.877Z"}}], "cna": {"title": "HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Philipp Schweinzer (SBA Research) https://www.sba-research.org/"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Upgrade to patched version (7.10.0 or later).", "supportingMedia": [{"type": "text/html", "value": "Upgrade to patched version (7.10.0 or later).", "base64": false}]}], "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2026-006"}], "workarounds": [{"lang": "en", "value": "Reduce access to the system.", "supportingMedia": [{"type": "text/html", "value": "Reduce access to the system.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.\n\n\nNote: The title, details, and description of this CVE were corrected post-publishing.", "supportingMedia": [{"type": "text/html", "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.<div><br></div><div>Note: The title, details, and description of this CVE were corrected post-publishing.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-22T18:55:20.563Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0972", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:55:20.563Z", "dateReserved": "2026-01-14T23:07:29.797Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2026-04-21T14:14:38.146Z", "assignerShortName": "Fortra"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EB6422D-7B12-41B3-BD42-5610C6C72524", "versionEndExcluding": "7.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.\n\n\nNote: The title, details, and description of this CVE were corrected post-publishing."}], "id": "CVE-2026-0972", "lastModified": "2026-04-23T13:47:39.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}, "published": "2026-04-21T15:16:35.830", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisories/product-security/fi-2026-006"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GoAnywhere MFT", "source": "cna", "vendor": "Fortra"}, "product": "goanywhere_mft", "vendor": "fortra"}], "analysis": {"en": {"generated_at": "2026-04-22T19:41:10.977615+00:00", "value": {"mitigation_remediation": ["Upgrade GoAnywhere MFT to version 7.10.0 or later to remove the HTML injection bug.", "Reduce access to the system as recommended workaround until the patch is applied or further mitigations are in place.", "Implement input validation or output encoding for email templates to prevent injection, addressing the root cause identified as CWE-74."], "summary": {"action": "Patch Immediately", "impact": "HTML Injection in system generated emails"}, "threat_synthesis": {"affected_systems": "All installations of Fortra GoAnywhere MFT older than version 7.10.0 are affected. The vulnerability exists in the email generation module and therefore any system that uses the default templating for notifications is at risk.", "description_and_impact": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to version 7.10.0. The vulnerability allows an attacker to embed arbitrary HTML content, potentially leading to phishing or malicious content being delivered via legitimate email notifications. This weakness is classified under CWE-74, which involves injection flaws that can alter the intended rendering of content.", "risk_and_exploitability": "With a CVSS score of 5.4, the vulnerability is considered moderate severity. The EPSS score is < 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the system, where an attacker can trigger system-generated emails with malicious HTML content. No special privileges or prior access are required to exploit the vulnerability via the email generation process, making it straightforward for an attacker with network connectivity to the host."}}}}, "created": "2026-04-21T23:00:03.478323+00:00", "updated": "2026-04-22T19:45:25.283550+00:00", "vendors": ["fortra", "fortra$PRODUCT$goanywhere_mft"]}