- Product: Progress MOVEit Transfer
- Vulnerabilities: 3 flaws (CVE-2026-11903, CVE-2026-10698, CVE-2026-10699)
- Highest severity: 8.0 (High · CVSSv3)
- Worst impact: Stored XSS in Ad Hoc module
- Status: No confirmed exploitation yet; patches available
- Action: Update to 2026.0.1, 2025.1.4, 2025.0.8 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-11903 | 8.0 | CWE-79 | 2026.0.1, 2025.1.4, 2025.0.8 | Not exploited |
| CVE-2026-10699 | 7.5 | CWE-401 | 2025.0.8, 2025.1.4, 2026.0.1 | Not exploited |
| CVE-2026-10698 | 7.2 | CWE-943 | 2025.0.8, 2025.1.4, 2026.0.1 | Not exploited |
TL;DR
Progress released a MOVEit Transfer security bulletin on July 8, 2026. It fixes three flaws, and the top one is a stored XSS bug, CVE-2026-11903, rated CVSS 8.0. None of the three is a pre-auth remote code execution, and Progress reports no known exploitation.
Why it matters
MOVEit Transfer moves sensitive files for thousands of organizations. So attackers watch it closely. The Cl0p gang mass-exploited it in 2023, and a critical auth-bypass flaw hit it in April 2026. This round is less severe by comparison. Still, the product’s track record makes fast patching wise.
How the attacks work
The headline flaw is a stored XSS in the Ad Hoc module. An authenticated user sends a crafted message. The payload then runs in the recipient’s browser, which can enable session hijacking. A second bug, CVE-2026-10698, lets a high-privilege user read API tokens belonging to other MOVEit users. The third, CVE-2026-10699, is an SFTP memory leak. It can exhaust server memory and cause a temporary denial of service.
Affected versions
The flaws affect MOVEit Transfer 2024.1.8 and earlier, the 2025.0 and 2025.1 branches, and 2026.0.0. Progress lists a fixed build for each supported line.
Patch and mitigation
Upgrade now to 2026.0.1, 2025.1.4, or 2025.0.8, depending on your branch. Older 2024.x users must move to an active version first. For the exact version table, read Progress’s MOVEit Transfer security bulletin. Patching remains the only fix for this MOVEit Transfer update.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.