Cross-Site Scripting Vulnerability in Progress MOVEit Transfer
CVE-2026-11903

8HIGH

Key Information:

Vendor

Progress

Vendor
CVE Published:
8 July 2026

What is CVE-2026-11903?

A cross-site scripting (XSS) vulnerability exists in Progress MOVEit Transfer's Ad Hoc module due to improper neutralization of user input during web page generation. This flaw could allow an attacker to inject malicious scripts into pages viewed by users, potentially leading to unauthorized access and data breaches. Affected versions include MOVEit Transfer 2026.0.0 prior to 2026.0.1, 2025.1.0 prior to 2025.1.4, and 2025.0.0 prior to 2025.0.8.

Affected Version(s)

MOVEit Transfer 2026.0.0 < 2026.0.1

MOVEit Transfer 2025.1.0 < 2025.1.4

MOVEit Transfer 2025.0.0 < 2025.0.8

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.