Skip to main content

MOVEit Transfer EUVDEUVD-2026-42278

| CVE-2026-10698 HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-07-08 security@progress.com GHSA-8rpj-q4gm-gm6v
7.2
CVSS 3.1 · Vendor: progress
Share

Severity by source

Vendor (progress) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable web feature (AV:N/AC:L) but the Custom Reports injection requires an administrative/high-privilege account (PR:H); NoSQL injection can read, modify, and disrupt data, so C/I/A all High.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (progress).

CVSS VectorVendor: progress

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 16:01 EUVD
Analysis Generated
Jul 08, 2026 - 15:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).

This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.

AnalysisAI

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege account
Delivery
Access Custom Reports module
Exploit
Inject special NoSQL query elements
Execution
Application executes tampered query
Impact
Read or alter backend data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated, high-privilege account (CVSS PR:H) with access to the Custom Reports module - the specific feature named in the description - so this is not exploitable by anonymous or low-privilege users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable and low-complexity, but gated behind PR:H (high privileges), which materially limits the attacker population to already-privileged/administrative accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user who already holds high privileges in MOVEit Transfer (for example a compromised administrator or malicious operator) crafts a Custom Report request containing special NoSQL query operators. The application incorporates the input into its data query without neutralization, letting the attacker return records outside their intended scope or tamper with underlying data. …
Remediation Upgrade to a fixed release for your line: MOVEit Transfer 2025.0.8, 2025.1.4, or 2026.0.1 or later (Vendor-released patch: 2025.0.8 / 2025.1.4 / 2026.0.1, inferred from the 'before' boundaries in the affected-version data - confirm exact build against the vendor bulletin). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all MOVEit Transfer instances running versions 2025.0.x (before 2025.0.8), 2025.1.x (before 2025.1.4), or 2026.0.0 (before 2026.0.1); document which custom report users hold high-privilege roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-34362 CRITICAL POC
9.8 Jun 02

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.

CVE-2024-5806 CRITICAL POC
9.8 Jun 25

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.0.0 be

CVE-2023-35708 CRITICAL POC
9.8 Jun 16

In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.

CVE-2023-36934 CRITICAL POC
9.1 Jul 05

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.

CVE-2026-8801 CRITICAL
9.8 Jul 08

Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalizat

CVE-2024-6576 CRITICAL
9.8 Jul 29

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.0.0 bef

CVE-2021-38159 CRITICAL
9.8 Aug 07

In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web appl

CVE-2019-18465 CRITICAL
9.8 Oct 31

In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in w

CVE-2019-18464 CRITICAL
9.8 Oct 31

In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3

CVE-2020-28647 MEDIUM POC
5.4 Nov 17

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. Rate

CVE-2019-16383 CRITICAL POC
9.4 Sep 24

MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 a

CVE-2023-35036 CRITICAL
9.1 Jun 12

In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.

Share

EUVD-2026-42278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy