CVE-2026-1089

Published Apr 21, 2026

Last updated 3 days ago

CVSS medium 6.5

Overview

Description
User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
Source
df4dee71-de3a-4139-9588-11b62fe6c0ff
NVD status
Analyzed
Products
goanywhere_managed_file_transfer

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
2.5
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Severity
MEDIUM

Weaknesses

df4dee71-de3a-4139-9588-11b62fe6c0ff
CWE-74

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.CVE-2026-0972
  2. Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.CVE-2025-1241
  3. The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.CVE-2025-14362
  4. An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.CVE-2026-0971
  5. An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.CVE-2025-8148

References

Sources include official advisories and independent security research.