Threat Advisory

MOVEit Transfer Stored XSS Vulnerability Allows Session Hijacking

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting MOVEit Transfer versions The flaws affect MOVEit Transfer 2024 have been identified in Progress MOVEit Transfer, a product used to move sensitive files for thousands of organizations. The overall risk/impact is considered high due to the potential for stored cross-site scripting (XSS) and session hijacking attacks. Affected version ranges include MOVEit Transfer 2024.1.8 and earlier, the 2025.0 and 2025.1 branches, and 2026.0.0.

CVE-2026-11903 (CVSS 8.0 — High): A stored XSS vulnerability in the Ad Hoc module allows an authenticated user to send a crafted message that runs in the recipient's browser, enabling session hijacking.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting MOVEit Transfer versions The flaws affect MOVEit Transfer 2024 have been identified in Progress MOVEit Transfer, a product used to move sensitive files for thousands of organizations. The overall risk/impact is considered high due to the potential for stored cross-site scripting (XSS) and session hijacking attacks. Affected version ranges include MOVEit Transfer 2024.1.8 and earlier, the 2025.0 and 2025.1 branches, and 2026.0.0.

CVE-2026-11903 (CVSS 8.0 — High): A stored XSS vulnerability in the Ad Hoc module allows an authenticated user to send a crafted message that runs in the recipient's browser, enabling session hijacking.[emaillocker id="1283"]

CVE-2026-10698: The flaw lives inside the software's Custom Reports modules. When a user tries to generate a report, the application fails to properly clean (or "sanitize") the text inputs. Because it does not safely handle special characters, a malicious actor can inject harmful data elements directly into the database query pipeline.

CVE-2026-10699 (CVSS 7.5 — High): An SFTP memory leak can exhaust server memory and cause a temporary denial of service. These vulnerabilities collectively present a significant risk for organizations using Progress MOVEit Transfer, particularly those in the Technology & IT sector. Administrators should prioritize patching to prevent potential attacks. These vulnerabilities collectively present a significant risk for organizations using Progress MOVEit Transfer, particularly those in the Technology & IT sector.

These vulnerabilities collectively present a significant risk for organizations using Progress MOVEit Transfer, particularly those in the Technology & IT sector.

RECOMMENDATIONS:

  • We recommend you to update Progress MOVEit Transfer to version 2026.0.1.
  • We recommend you to upgrade Progress MOVEit Transfer to version 2025.1.4, or 2025.0.8 depending on your installed branch.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu