{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0972", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2026-01-14T23:07:29.797Z", "datePublished": "2026-04-21T14:14:38.146Z", "dateUpdated": "2026-04-22T15:14:40.622Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-22T15:14:40.622Z"}, "title": "HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.\n\n\nNote: The title, details, and description of this CVE were corrected post-publishing.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.<div><br></div><div>Note: The title, details, and description of this CVE were corrected post-publishing.</div>"}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/fi-2026-004"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "workarounds": [{"lang": "en", "value": "Reduce access to the system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Reduce access to the system."}]}], "solutions": [{"lang": "en", "value": "Upgrade to patched version (7.10.0 or later).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade to patched version (7.10.0 or later)."}]}], "credits": [{"lang": "en", "value": "Philipp Schweinzer (SBA Research) https://www.sba-research.org/", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:27:17.226262Z", "id": "CVE-2026-0972", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:27:23.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:27:17.226262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:27:20.877Z"}}], "cna": {"title": "GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-49", "descriptions": [{"lang": "en", "value": "CAPEC-49 Password Brute Forcing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to patched version (7.10.0 or later).", "supportingMedia": [{"type": "text/html", "value": "Upgrade to patched version (7.10.0 or later).", "base64": false}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/fi-2026-004"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The login limit is not enforced on the\u00a0SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.", "supportingMedia": [{"type": "text/html", "value": "The login limit is not enforced on the&nbsp;SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper restriction of excessive authentication attempts"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:14:38.146Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0972", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:27:23.897Z", "dateReserved": "2026-01-14T23:07:29.797Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2026-04-21T14:14:38.146Z", "assignerShortName": "Fortra"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The login limit is not enforced on the\u00a0SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force."}], "id": "CVE-2026-0972", "lastModified": "2026-04-21T16:20:24.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}, "published": "2026-04-21T15:16:35.830", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "url": "https://fortra.com/security/advisories/product-security/fi-2026-004"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GoAnywhere MFT", "source": "cna", "vendor": "Fortra"}, "product": "goanywhere_mft", "vendor": "fortra"}], "analysis": {"en": {"generated_at": "2026-04-21T22:48:07.353503+00:00", "value": {"mitigation_remediation": ["Upgrade GoAnywhere MFT to version 7.10.0 or later to enforce the login limit.", "Configure an account lockout or rate\u2011limiting policy on the SFTP service to block repeated failed authentication attempts.", "Restrict SFTP access to trusted IP addresses or through a bastion host, and ensure that all SSH keys meet an acceptable length and algorithm standard."], "summary": {"action": "Patch Immediately", "impact": "Brute Force Login Vulnerability"}, "threat_synthesis": {"affected_systems": "All installations of Fortra GoAnywhere MFT older than version 7.10.0 are affected. The vulnerability exists in the SFTP service layer and therefore any web user configured to use an SSH key is at risk.", "description_and_impact": "The vulnerability allows an attacker to bypass the login attempt limit on the SFTP service of Fortra's GoAnywhere MFT when the targeted web user is configured for SSH key authentication. The lack of enforcement means a brute\u2011force attack can guess the SSH key and gain unauthorized access. This weakness is classified as CWE\u2011307, which concerns an authentication mechanism that does not properly enforce a maximum number of failed login attempts.", "risk_and_exploitability": "With a CVSS score of 7.3, the vulnerability is considered high severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the SFTP port, where an attacker can repeatedly attempt authentication using guessed SSH keys. No special privileges or prior access are required, making exploitation straightforward for attackers with network access to the host."}}}}, "created": "2026-04-21T23:00:03.478323+00:00", "updated": "2026-04-22T11:46:27.011822+00:00", "vendors": ["fortra", "fortra$PRODUCT$goanywhere_mft"]}