MOVEit Transfer SQLi in Data Query (2025.0.0-2025.0.8,2025.1.0-2025.1.4,2026.0.0-2026.0.1)
CVE-2026-10698 Published on July 8, 2026
Table scope bypass vulnerability in custom reports
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
Vulnerability Analysis
CVE-2026-10698 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Neutralization of Special Elements in Data Query Logic
The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Products Associated with CVE-2026-10698
Want to know whenever a new CVE is published for Progress Moveit Transfer? stack.watch will email you.
Affected Versions
Progress MOVEit Transfer:- Version 2025.0.0 and below 2025.0.8 is affected.
- Version 2025.1.0 and below 2025.1.4 is affected.
- Version 2026.0.0 and below 2026.0.1 is affected.