CVE-2026-11903 in MOVEit Transfer
Summary
by MITRE • 07/08/2026
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module).
This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
This cross-site scripting vulnerability in Progress MOVEit Transfer represents a critical web application security flaw that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability specifically impacts the Ad Hoc module within the MOVEit Transfer platform, which is designed for file transfer and management operations. The issue stems from inadequate input validation and sanitization during the web page generation process, creating an opportunity for malicious actors to execute arbitrary code in the context of a victim's browser session.
The technical flaw manifests when user-supplied data is not properly escaped or filtered before being rendered in web page content. This allows attackers to inject script tags, javascript code, or other malicious payloads that get executed when legitimate users view affected pages. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws where input data is not adequately neutralized for the target execution context. Attackers can exploit this weakness to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious sites, or extract sensitive information from the application.
The operational impact of this vulnerability extends beyond simple script execution as it compromises the integrity and confidentiality of user sessions within the MOVEit Transfer environment. Organizations using affected versions face significant risk of credential theft, data exfiltration, and potential full system compromise through session hijacking attacks. The vulnerability affects multiple version ranges including 2026.0.0 through 2026.0.0, 2025.1.0 through 2025.1.3, and 2025.0.0 through 2025.0.7, indicating a widespread issue affecting various release branches of the software. This presents substantial risk to enterprises that rely on MOVEit Transfer for file management and data transfer operations.
Security mitigations should prioritize immediate patching of affected versions to address the root cause of input sanitization failures. Organizations must implement comprehensive input validation mechanisms that properly escape or filter all user-supplied content before rendering in web contexts. Network segmentation and monitoring solutions should be deployed to detect anomalous traffic patterns associated with exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1566 which covers phishing techniques, as attackers often leverage XSS flaws to deliver malicious payloads through compromised web interfaces. Additional defensive measures include implementing content security policies, regular security testing of web applications, and maintaining up-to-date threat intelligence to identify potential exploitation attempts against known vulnerabilities in enterprise file transfer systems.