MOVEit Transfer SQLi in Data Query (2025.0.0-2025.0.8,2025.1.0-2025.1.4,2026.0.0-2026.0.1)
CVE-2026-10698 Published on July 8, 2026

Table scope bypass vulnerability in custom reports
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-10698 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Improper Neutralization of Special Elements in Data Query Logic

The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.


Products Associated with CVE-2026-10698

Want to know whenever a new CVE is published for Progress Moveit Transfer? stack.watch will email you.

 

Affected Versions

Progress MOVEit Transfer: