Skip to main content

Moveit Transfer CVE-2026-8801

| EUVDEUVD-2026-42385 CRITICAL
Path Equivalence: 'filename ' (Trailing Space) (CWE-46)
2026-07-08 security@progress.com GHSA-g7h5-mc2v-rvpm
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.5 LOW

Low-privilege authentication and user interaction are required; only limited file integrity impact applies with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 09, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 19:22 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 19:22 NVD
LOW CRITICAL
CVSS changed
Jul 09, 2026 - 19:22 NVD
3.5 (LOW) 9.8 (CRITICAL)
Analysis Generated
Jul 08, 2026 - 21:05 vuln.today
Patch available
Jul 08, 2026 - 21:04 EUVD

DescriptionNVD

Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).

This issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.

AnalysisAI

Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Identify all Progress MOVEit Transfer instances and document current version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-34362 CRITICAL POC
9.8 Jun 02

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.

CVE-2024-5806 CRITICAL POC
9.8 Jun 25

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.0.0 be

CVE-2023-35708 CRITICAL POC
9.8 Jun 16

In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.

CVE-2023-36934 CRITICAL POC
9.1 Jul 05

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.

CVE-2024-6576 CRITICAL
9.8 Jul 29

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.0.0 bef

CVE-2021-38159 CRITICAL
9.8 Aug 07

In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web appl

CVE-2019-18465 CRITICAL
9.8 Oct 31

In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in w

CVE-2019-18464 CRITICAL
9.8 Oct 31

In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3

CVE-2020-28647 MEDIUM POC
5.4 Nov 17

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. Rate

CVE-2019-16383 CRITICAL POC
9.4 Sep 24

MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 a

CVE-2023-35036 CRITICAL
9.1 Jun 12

In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.

CVE-2020-8612 CRITICAL
9.0 Feb 14

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately

Share

CVE-2026-8801 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy