CVE-2026-10698
HIGHProgress MOVEit Transfer Custom Reports - Query Logic Injection
Title source: manualDescription
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026
Scores
CVSS v3
7.2
EPSS
0.0044
EPSS Percentile
35.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-943
Status
published
Products (5)
Progress/MOVEit Transfer
2025.0.0 - 2025.0.8
Progress/MOVEit Transfer
2025.1.0 - 2025.1.4
Progress/MOVEit Transfer
2026.0.0 - 2026.0.1
progress/moveit_transfer
2026.0.0
progress/moveit_transfer
< 2024.1.8
Published
Jul 08, 2026
Tracked Since
Jul 08, 2026