Professional Service Automation
CVE-2026-0696
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
AnalysisAI
Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).
Technical ContextAI
affects Professional Service Automation. In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Stored cross-site scripting in ConnectWise PSA versions before 2026.1 allows authenticated users to inject malicious scr
In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sen
Same weakness CWE-1004 – Sensitive Cookie Without 'HttpOnly' Flag
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today