CVE-2026-0695NVD

Vulnerability Summary

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

Severity Level

HIGH(8.7)

Published Date

Jan 16, 2026

Last Modified

Jan 27, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

CWE-79: Cross-site Scripting (XSS) ↗

The software does not neutralize user-controllable input before it is placed in output that is used as a web page.

EPSS Score (30-Day)

Data Pending

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityNone

External References

https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
https://www.themissinglink.com.au/security-advisories/cve-2026-0695