MOVEit Transfer <=2025.0.6 Custom Reports SQL Injection
CVE-2026-8649 Published on July 8, 2026
Institution scope bypass vulnerability in custom reports
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Vulnerability Analysis
CVE-2026-8649 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Neutralization of Special Elements in Data Query Logic
The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Products Associated with CVE-2026-8649
Want to know whenever a new CVE is published for Progress Moveit Transfer? stack.watch will email you.
Affected Versions
Progress MOVEit Transfer:- Version 2025.1.0 and below 2025.1.3 is affected.
- Before 2025.0.7 is affected.