CVE-2026-0972: HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT
Published Apr 21, 2026
·Updated
HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0.
Note: The title, details, and description of this CVE were corrected post-publishing.
Affected Software
2 affected components
Fortra GoAnywhere MFT<7.10.0
Fortra Goanywhere Managed File Transfer<7.10.0
Remediation
Information
Upgrade to patched version (7.10.0 or later).
Event History
Apr 21, 2026
CVE Published
via MITRE·02:14 PM
Data Sourced
via MITRE·02:14 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·03:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-0972?
CVE-2026-0972 has a high severity rating due to the ease of performing brute force attacks on the SFTP service.
2
How do I fix CVE-2026-0972?
To fix CVE-2026-0972, upgrade Fortra's GoAnywhere MFT to version 7.10.0 or later.
3
What type of attack is related to CVE-2026-0972?
CVE-2026-0972 is associated with brute force attacks on the SFTP login service.
4
Which versions of GoAnywhere MFT are affected by CVE-2026-0972?
CVE-2026-0972 affects all versions of Fortra's GoAnywhere MFT prior to 7.10.0.
5
Is the SSH key configuration relevant to CVE-2026-0972?
Yes, CVE-2026-0972 specifically impacts the SFTP service when the user is configured to log in with an SSH key, as it does not enforce the login attempt limit.