Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable web feature (AV:N/AC:L) but the Custom Reports injection requires an administrative/high-privilege account (PR:H); NoSQL injection can read, modify, and disrupt data, so C/I/A all High.
Primary rating from Vendor (progress).
CVSS VectorVendor: progress
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
AnalysisAI
Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated, high-privilege account (CVSS PR:H) with access to the Custom Reports module - the specific feature named in the description - so this is not exploitable by anonymous or low-privilege users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable and low-complexity, but gated behind PR:H (high privileges), which materially limits the attacker population to already-privileged/administrative accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user who already holds high privileges in MOVEit Transfer (for example a compromised administrator or malicious operator) crafts a Custom Report request containing special NoSQL query operators. The application incorporates the input into its data query without neutralization, letting the attacker return records outside their intended scope or tamper with underlying data. … |
| Remediation | Upgrade to a fixed release for your line: MOVEit Transfer 2025.0.8, 2025.1.4, or 2026.0.1 or later (Vendor-released patch: 2025.0.8 / 2025.1.4 / 2026.0.1, inferred from the 'before' boundaries in the affected-version data - confirm exact build against the vendor bulletin). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all MOVEit Transfer instances running versions 2025.0.x (before 2025.0.8), 2025.1.x (before 2025.1.4), or 2026.0.0 (before 2026.0.1); document which custom report users hold high-privilege roles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Moveit Transfer
View allIn Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.0.0 be
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.
Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalizat
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.0.0 bef
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web appl
In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in w
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. Rate
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 a
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.
Same technique Nosql Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42278
GHSA-8rpj-q4gm-gm6v