CVE-2026-11903
Progress · MOVEit Transfer
A cross-site scripting (XSS) vulnerability in the Ad Hoc module of Progress MOVEit Transfer allows for improper neutralization of user input during web page generation.
Executive summary
A high-severity cross-site scripting vulnerability in Progress MOVEit Transfer exposes authenticated users to potential session hijacking and unauthorized data access.
Vulnerability
This is a Cross-Site Scripting (XSS) vulnerability located in the Ad Hoc module. An authenticated attacker can inject malicious scripts into web pages, which will execute in the context of the victim's session.
Business impact
Successful exploitation allows an attacker to execute arbitrary scripts in the browser of an authenticated user. This can lead to the theft of session tokens, unauthorized access to sensitive file transfers, or the manipulation of application data. Given the CVSS score of 8.0, this represents a significant risk to the integrity and confidentiality of data processed within the MOVEit environment.
Remediation
Immediate Action: Upgrade to the latest patched version of MOVEit Transfer as specified in the Progress security bulletin.
Proactive Monitoring: Review web server and application access logs for unusual patterns or suspicious script-related strings within Ad Hoc module request parameters.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to inspect and sanitize incoming traffic to the Ad Hoc module.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations should treat this vulnerability with high priority, given the critical nature of file transfer software. Administrators must verify their current version against the affected list and apply the relevant security updates immediately to prevent potential account compromise.