CVE-2026-0972

MEDIUM 5.4

HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

9th

HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.

CWE	CWE-74
Vendor	fortra
Product	goanywhere mft
Published	Apr 21, 2026
Last Updated	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for fortra goanywhere mft

Be the first to know when new medium vulnerabilities affecting fortra goanywhere mft are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Fortra / GoAnywhere MFT

0 < 7.10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fortra.com: https://www.fortra.com/security/advisories/product-security/fi-2026-006 seclists.org: http://seclists.org/fulldisclosure/2026/Apr/8

Credits

🔍 Philipp Schweinzer (SBA Research) https://www.sba-research.org/