Description
In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.
Published: 2026-01-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

ConnectWise PSA versions older than 2026.1 contain a stored cross‑site scripting flaw in the Time Entry Audit Trail. When a user enters a note that includes malicious script, the content is rendered without proper output encoding. If the audit trail is viewed by a logged‑in user, the script executes in that user’s browser scope. The attack enables an adversary to steal session cookies, deface the interface, or perform actions on behalf of the user, violating confidentiality and integrity. The weakness is a classic input validation flaw as identified by CWE‑79.

Affected Systems

The vulnerability affects the ConnectWise Professional Service Automation product. All on‑premises installations running a release prior to 2026.1 are impacted. Cloud deployments receive automatic updates to the latest PSA version, while on‑premise users must manually apply the 2026.1 patch and keep desktop clients current.

Risk and Exploitability

With a CVSS base score of 8.7, this issue is high severity. The EPSS score is below 1 percent, indicating a low but non‑zero probability of exploitation. It is not listed in the CISA KEV catalog. Attackers are likely to target users who have access to the audit trail feature, injecting script via the Time Entry note field. Successful exploitation results in client‑side code execution that can lead to data theft or unauthorized actions within the user’s session. The risk is therefore high for active users, but the low intrinsic exploit probability mitigates immediate threat without a known active exploit.

Generated by OpenCVE AI on April 18, 2026 at 05:46 UTC.

Remediation

Vendor Solution

Cloud Cloud instances are automatically being updated to the latest ConnectWise PSA release. On-premise Apply the 2026.1 release patches and ensure all desktop clients are up to date.

OpenCVE Recommended Actions

  • Apply the 2026.1 release patches to all on‑premise ConnectWise PSA instances, ensuring the core application is updated to the latest version.
  • Update all desktop client installations to the latest on‑premise patches to prevent injection of malicious content via client‑side entry fields.
  • Restrict or audit access to the Time Entry Audit Trail, ensuring only trusted roles can view or create audit entries, and monitor for suspicious script content.

Generated by OpenCVE AI on April 18, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
References

Fri, 23 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Connectwise professional Service Automation
CPEs cpe:2.3:a:connectwise:professional_service_automation:*:*:*:*:*:*:*:*
Vendors & Products Connectwise professional Service Automation

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Connectwise
Connectwise psa
Vendors & Products Connectwise
Connectwise psa

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.
Title Stored XSS in Time Entry Audit Trail
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Connectwise Professional Service Automation Psa
cve-icon MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published:

Updated: 2026-01-27T12:14:38.371Z

Reserved: 2026-01-07T21:31:57.230Z

Link: CVE-2026-0695

cve-icon Vulnrichment

Updated: 2026-01-16T14:07:43.518Z

cve-icon NVD

Status : Modified

Published: 2026-01-16T14:15:54.793

Modified: 2026-01-27T13:15:54.260

Link: CVE-2026-0695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses