SBA Security Advisory – GoAnywhere MFT Email HTML Injection (CVE-2026-0972)

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

April 24, 2026

Vulnerability Overview

GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability in its email templating functionality. If an attacker is able to influence the content of a template variable, malicious HTML can be embedded into outgoing emails generated by the application. As these messages originate from a trusted system, the vulnerability may facilitate phishing and other social-engineering attacks. The issue arises from insufficient HTML encoding of untrusted input before inclusion in HTML email content.

Type of Vulnerability: HTML Injection
Fixed in Version: 7.10.0
CVE ID: CVE-2026-0972
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Base Score: 5.4 (Medium)

Recommended Countermeasure

We recommend updating to GoAnywhere MFT version 7.10.0 or later.

Links

Full Security Advisory

Credits

Philipp Schweinzer (SBA Research)

The discovery of this vulnerability was made possible through support from CYSSDE and the European Union.

News