惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Hugging Face - Blog
Hugging Face - Blog
IT之家
IT之家
Jina AI
Jina AI
Google DeepMind News
Google DeepMind News
大猫的无限游戏
大猫的无限游戏
The GitHub Blog
The GitHub Blog
腾讯CDC
L
LangChain Blog
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
F
Fortinet All Blogs
量子位
Apple Machine Learning Research
Apple Machine Learning Research
Cloudbric
Cloudbric
B
Blog RSS Feed
B
Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
Vercel News
Vercel News
S
Schneier on Security
Project Zero
Project Zero
宝玉的分享
宝玉的分享
美团技术团队
MyScale Blog
MyScale Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
T
Threatpost
A
Arctic Wolf
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
爱范儿
爱范儿
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes
T
Threat Research - Cisco Blogs
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
SecWiki News
SecWiki News
H
Hacker News: Front Page
AWS News Blog
AWS News Blog
博客园_首页
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
T
Tor Project blog
C
Check Point Blog
L
Lohrmann on Cybersecurity
F
Full Disclosure
TaoSecurity Blog
TaoSecurity Blog
Google Online Security Blog
Google Online Security Blog
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
Martin Fowler
Martin Fowler

Full Disclosure

[NotCVE-2026-0001] Cloudflare Universal SSL CAA augmentation weakens RFC 8657 account binding — CVE-2026-14440 assigned 163 days after public no-CVE disclosure Full Disclosure: Subject: Advisory Submission: EZ Game Booster Full Disclosure: CVE-2026-56877 - Skillable SCORM userId authorisation bypass Full Disclosure: [REVIVE-SA-2026-003] Revive Adserver Vulnerabilities Full Disclosure: OPNsense XPATH Injection (CVE-2026-53582) Authentication Bypass for SafeLine SL6 and SL6+ confidentiality and anonymity leakage to third parties Full Disclosure: OpenBlow Multiple Deanonymization Vulnerabilities Site-access password exposed in web server access logs via GET query string Full Disclosure: APPLE-SA-06-29-2026-3 Safari 26.5.2 Full Disclosure: APPLE-SA-06-29-2026-2 macOS Tahoe 26.5.2 APPLE-SA-06-29-2026-1 iOS 26.5.2 and iPadOS 26.5.2 symlink following and TOCTOU in privileged upload handler allow arbitrary file write as root [KIS-2026-12] Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability Full Disclosure: [fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln Full Disclosure: Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended) Full Disclosure: Asterisk Security Release 23.4.1 Full Disclosure: Asterisk Security Release 22.10.1 Full Disclosure: Asterisk Security Release 21.12.3 Full Disclosure: Asterisk Security Release 20.20.1 Certified Asterisk Security Release certified-22.8-cert3 Certified Asterisk Security Release certified-20.7-cert11 Zig std.http chunked reader integer overflow -> unauthenticated remote DoS Remote Kernel Stack Disclosure via MPLS Label Stack Over-read Full Disclosure: OpenBSD sppp_pap_input: PAP authentication bypass Full Disclosure: SEC Consult SA-20260618-0 :: Hardcoded Root Cloud Credentials in Application Binaries in Silver Leaf Technologies Full Disclosure: SEC Consult SA-20260617-1 :: Multiple Vulnerabilities in Quanos Content Solutions Multiple Critical Vulnerabilities in Sprecher Automation SPRECON-E-C/-E-P/-E-T3 Full Disclosure: SEC Consult SA-20260616-0 :: Broken Access Control in syracom AG Secure Login (2FA) for Atlassian Jira / Confluence APPLE-SA-06-16-2026-1 Beats Firmware Update 1B211 PHP 8.5.7 `levenshtein()` signed-integer overflow Full Disclosure: PHP 8.5.7 `dom_xml_serialization_algorithm()` stack-overflow PHP 8.5.7 `mb_substr()` 'SJIS-mac' size_t underflow PHP 8.5.7 `FILTER_SANITIZE_ENCODED` uninitialized read Cross-Tenant Authentication Bypass by Spoofing in N-able Mail Assure Multiple Vulnerabilities in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller) Multiple Critical Vulnerabilities in Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) Local Privilege Escalation in Slate Digital Connect (macOS) Full Disclosure: SEC Consult SA-20260609-0 :: Multiple Local Privilege Escalation Vulnerabilities in Waves Audio [KIS-2026-11] Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability [KIS-2026-10] Discuz! <= X5.0 OCR-based CAPTCHA Bypass Vulnerability [KIS-2026-09] Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability Privilege Escalation via Binary Planting in Genetec-provided RabbitMQ in multiple Genetec products [SYSS-2026-004] SAP NetWeaver SAML XML Signature Wrapping Full Disclosure: [REVIVE-SA-2026-002] Revive Adserver Vulnerabilities Full Disclosure: CyberDanube Security Research 20260528-0 four vulnerabilities — two unfixed, GHSA without a CVE Full Disclosure: Re: Dovecot Security Advisory OXDC-2026-0002 SSRF in Anthropic mcp-server-fetch and Microsoft playwright-mcp — publicly disclosed via GitHub issues Full Disclosure: [SECURITY ADVISORY] CVE-2021-21735 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34474 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34472 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34473 Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect Full Disclosure: APPLE-SA-05-13-2026-1 Safari 26.5 Full Disclosure: APPLE-SA-05-11-2026-11 visionOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-10 watchOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-9 tvOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-8 macOS Sonoma 14.8.7 Full Disclosure: APPLE-SA-05-11-2026-7 macOS Sequoia 15.7.7 APPLE-SA-05-11-2026-5 iOS 15.8.8 and iPadOS 15.8.8 APPLE-SA-05-11-2026-4 iOS 16.7.16 and iPadOS 16.7.16 Full Disclosure: APPLE-SA-05-11-2026-3 iPadOS 17.7.11 APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9 APPLE-SA-05-11-2026-1 iOS 26.5 and iPadOS 26.5 Impersonation attacks on Edupage portal Edupage web and mobile application authorization bypass leaks PII and IBAN codes Full Disclosure: Dovecot Security Advisory OXDC-2026-0002 Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro (CVE-2024-13971) Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP (CVE-2024-39847) ESP-RFID-Tool v2 PRO — Full Public Disclosure DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service) Broken Access Control in Config Endpoint in LiteLLM Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8 APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2 When Trusted Tools Become Attack Primitives [KIS-2026-08] SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability [KIS-2026-07] SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability Full Disclosure: Trojan-Spy.Win32.Small / Remote Command Execution Full Disclosure: [IWCC 2026] CfP: 15th International Workshop on Cyber Crime Full Disclosure: CyberDanube Security Research 20260408-1 Full Disclosure: CyberDanube Security Research 20260408-0 Improper Enforcement of Locked Accounts in WebUI (SSO) in Kiuwan SAST on-premise (KOP) & cloud/SaaS Broken Access Control in Open WebUI Full Disclosure: SEC Consult SA-20260326-0 :: Local Privilege Escalation in Vienna Assistant (MacOS) 14 Third-Party Endpoints, 6 Countries, Zero User Visibility [KIS-2026-06] MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability Full Disclosure: APPLE-SA-03-24-2026-10 Xcode 26.4 Full Disclosure: APPLE-SA-03-24-2026-9 Safari 26.4 Full Disclosure: APPLE-SA-03-24-2026-8 visionOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-7 watchOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-6 tvOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-5 macOS Sonoma 14.8.5 Full Disclosure: APPLE-SA-03-24-2026-4 macOS Sequoia 15.7.5 Full Disclosure: APPLE-SA-03-24-2026-3 macOS Tahoe 26.4 APPLE-SA-03-24-2026-2 iOS 18.7.7 and iPadOS 18.7.7 APPLE-SA-03-24-2026-1 iOS 26.4 and iPadOS 26.4
GoAnywhere MFT Email HTML Injection
2026-04-30 · via Full Disclosure
fulldisclosure logo

Full Disclosure mailing list archives

[SBA-ADV-20251120-01] CVE-2026-0972: GoAnywhere MFT Email HTML Injection


From: SBA Research Security Advisory via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 23 Apr 2026 20:15:13 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# GoAnywhere MFT Email HTML Injection #

Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection

## Vulnerability Overview ##

GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability
in its email templating functionality. If an attacker is able to influence
the content of a template variable, malicious HTML can be embedded into
outgoing emails generated by the application. As these messages originate
from a trusted system, the vulnerability may facilitate phishing and other
social-engineering attacks. The issue arises from insufficient HTML encoding
of untrusted input before inclusion in HTML email content.

* **Identifier**            : SBA-ADV-20251120-01
* **Type of Vulnerability** : HTML Injection
* **Software/Product Name** : [GoAnywhere MFT](https://www.goanywhere.com/products/goanywhere-mft)
* **Vendor**                : [Fortra](https://www.fortra.com/)
* **Affected Versions**     : <= 7.9.1
* **Fixed in Version**      : 7.10.0
* **CVE ID**                : CVE-2026-0972
* **CVSS Vector**           : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
* **CVSS Base Score**       : 5.4 (Medium)

## Vendor Description ##

GoAnywhere Managed File Transfer is a comprehensive managed file transfer
solution that will manage your organization’s file transfer software,
file sharing, secure FTP, and automation needs through a single interface.

Source: <https://www.goanywhere.com/products/goanywhere-mft>

## Impact ##

Attackers can abuse the email templating functionality by injecting
malicious content into template variables, resulting in HTML injection in
outgoing emails.

## Vulnerability Description ##

It is possible to manipulate HTML emails generated via the "Send Email"
functionality if an attacker is able to control the content of a template
variable. User-supplied data inserted into the email body is not properly
HTML-encoded, and there is no option to enforce encoding for variables
during email template configuration.

![Send Email Configuration](images/send_email_configuration.png)

As a result, an attacker can inject arbitrary HTML content into outgoing
emails. Since these emails are sent by the legitimate mail server and
therefore appear to originate from a trusted sender, recipients are more
likely to trust their contents. An attacker could, for example, insert links
that redirect users to a phishing website designed to capture credentials
or other sensitive information, or to deliver further malicious content.

This vulnerability can therefore be used to conduct effective phishing or
social engineering attacks leveraging the trust relationship between the
application and its users.

## Proof of Concept ##

1. Configure an "Upload Successful" trigger: Set up an automation rule or
workflow that is triggered whenever a user uploads a file in the application
[1]. This trigger should fire on each successful upload and proceed to
execute the subsequent action.

2. Attach the "Send Email" functionality to the trigger: Add a "Send
Email" action that is executed whenever the "Upload Successful" trigger
fires. Configure this action to send an HTML email to an internal recipient
(for example, a support or operations mailbox) to notify them that a new
file has been uploaded. [2]

3. Include the uploaded filename as a variable in the email template:
In the HTML email template, insert the variable representing the uploaded
filename into the email body, for example: A new file has been uploaded:
${VARIABLE_NAME}. The email will then be sent automatically to the internal
recipient whenever a file is uploaded.

4. Upload a file with HTML special characters in the filename: Upload a file
whose filename contains HTML markup instead of a normal, benign filename. For
instance:
`Please enter your password here: <a href='evil.site'>evil.site<a>.jpg`.
Because the filename is treated as data but inserted directly into
the HTML email without encoding, the HTML tags are preserved as-is.

5. Observe the manipulated HTML content in the received confirmation
email: When the internal recipient receives the confirmation email, the
filename variable will be rendered as part of the HTML content. Instead of
displaying the raw text of the filename, the email client interprets the
injected HTML: the phishing link appears as a clickable hyperlink. This
demonstrates that attacker-controlled input can manipulate the structure
and content of outgoing HTML emails, enabling the injection of malicious
links and other HTML elements into messages that appear to come from a
trusted internal system.

## Recommended Countermeasures ##

We recommend updating to GoAnywhere MFT version 7.10.0 or later.

GoAnywhere MFT should not allow unencoded HTML special characters from
user provided sources in email output and instead apply correct encoding
according to the output context. For example, when displaying the content
within an HTML email, HTML encoding must be performed before the untrusted
data is displayed.

## Timeline ##

* `2025-10-19` Identified the vulnerability in version 7.8.3 Build 7
* `2025-12-01` First contact with Fortra support team
* `2025-12-12` Disclosed vulnerability to Fortra support team and started
               our 90 day disclosure timeline
* `2026-01-20` Vulnerability was assigned CVE-2026-0972 by Fortra
* `2026-03-18` Disclosure timeline extended due to promised fix
               with release 7.10 at the end of March
* `2026-04-07` Disclosure timeline extended again due to delayed release
* `2026-04-20` Fortra published a fix with release 7.10
* `2026-04-23` Public disclosure

## References ##

1. GoAnywhere MFT Triggers:
   <https://www.goanywhere.com/products/goanywhere-mft/automation/triggers>
2. GoAnywhere MFT Email Connectivity:
   <https://www.goanywhere.com/products/goanywhere-mft/connectivity/email>
3. Vendor Security Advisory:
   <https://www.fortra.com/security/advisories/product-security/fi-2026-006>

## Credits ##

* Philipp Schweinzer ([SBA Research](https://www.sba-research.org/))

The discovery of this vulnerability was made possible through support from
[CYSSDE](https://cyssde.eu/) and the European Union.

![CYSSDE](images/cyssde.png)
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCAA5FiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmnqfbcbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwxAAoJEPu4hi9Y93WyzUwP/R71yiNhsJF2yZMNqxEx
wPSH2FKSSMC2AU+nV7ukYpbfK0APhq/8NLOXG6jXpmXH1F5pmWvoPdVQeGQinqef
dGH19oe7Wd+lhBEK5icO10L6NNEGyxy+gev21Kbykf6+wrMzJz+ICjpyMBdi/4zV
YaiIlprrtCtTylSTBUMV9fXqcj1HKWWtWTDObXI9JgvGh4IfYzNrV6AgfGv6GvIJ
gSKHSmVvCmd1WWQMA/JiuEBCpgCeJIXcApKK+vuxmduh4fGRnpcWc0LxCb82ny+O
/qOdYOt+nSvwEttVBARYS1d+uMYfLiiWYNZD3g84o8VAaelR9AT9NeCkOUPhEGAd
xbM9A+Y46HqdPt0mJQ81bPi938r6Xruvg3rAw4JoQSV8/VCtzWmicIiLsVZJNRdb
CVDgCX8tg8gpMlzcssmnNUrpsBolb3ovxiBVj1SXfi1c/ln6FWbvnnjNYBmkWPSg
QUK/m7ZgKFuNCqf6z8gBK7jOtK2Bv7OiMZ4s+gVEuNRYFFZOoQn9DtnWgAUcSbI5
3l0I56qPNgWqWUG3AwnP6P24x/6qjOn3jyLo5CKONd1NeGyIe1XL44Xh6I2B5hou
C4qkUGB67wNS/wQwDUuEdlo62TLGnd48N9dG8VGzw+AI9DBR0DXjFvvlLfz5cQ5q
xg2FGsgh2xDnCa3KBno+0HOr
=2+hu
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [SBA-ADV-20251120-01] CVE-2026-0972: GoAnywhere MFT Email HTML Injection SBA Research Security Advisory via Fulldisclosure (Apr 29)