Description
HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.


Note: The title, details, and description of this CVE were corrected post-publishing.
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTML Injection in system generated emails
Action: Patch Immediately
AI Analysis

Impact

HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to version 7.10.0. The vulnerability allows an attacker to embed arbitrary HTML content, potentially leading to phishing or malicious content being delivered via legitimate email notifications. This weakness is classified under CWE-74, which involves injection flaws that can alter the intended rendering of content.

Affected Systems

All installations of Fortra GoAnywhere MFT older than version 7.10.0 are affected. The vulnerability exists in the email generation module and therefore any system that uses the default templating for notifications is at risk.

Risk and Exploitability

With a CVSS score of 5.4, the vulnerability is considered moderate severity. The EPSS score is < 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the system, where an attacker can trigger system-generated emails with malicious HTML content. No special privileges or prior access are required to exploit the vulnerability via the email generation process, making it straightforward for an attacker with network connectivity to the host.

Generated by OpenCVE AI on April 22, 2026 at 19:41 UTC.

Remediation

Vendor Solution

Upgrade to patched version (7.10.0 or later).

Vendor Workaround

Reduce access to the system.

OpenCVE Recommended Actions

  • Upgrade GoAnywhere MFT to version 7.10.0 or later to remove the HTML injection bug.
  • Reduce access to the system as recommended workaround until the patch is applied or further mitigations are in place.
  • Implement input validation or output encoding for email templates to prevent injection, addressing the root cause identified as CWE-74.

Generated by OpenCVE AI on April 22, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Fortra goanywhere Managed File Transfer
CPEs cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
Vendors & Products Fortra goanywhere Managed File Transfer

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-307

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force. HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.
Title GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT
Weaknesses CWE-74
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortra
Fortra goanywhere Mft
Vendors & Products Fortra
Fortra goanywhere Mft

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
Title GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Fortra Goanywhere Managed File Transfer Goanywhere Mft
cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2026-04-29T19:32:13.201Z

Reserved: 2026-01-14T23:07:29.797Z

Link: CVE-2026-0972

cve-icon Vulnrichment

Updated: 2026-04-29T19:32:13.201Z

cve-icon NVD

Status : Modified

Published: 2026-04-21T15:16:35.830

Modified: 2026-04-29T20:16:28.760

Link: CVE-2026-0972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:45:25Z

Weaknesses