Full Disclosure mailing list archives
[SBA-ADV-20251120-01] CVE-2026-0972: GoAnywhere MFT Email HTML Injection
From: SBA Research Security Advisory via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 23 Apr 2026 20:15:13 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 # GoAnywhere MFT Email HTML Injection # Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection ## Vulnerability Overview ## GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability in its email templating functionality. If an attacker is able to influence the content of a template variable, malicious HTML can be embedded into outgoing emails generated by the application. As these messages originate from a trusted system, the vulnerability may facilitate phishing and other social-engineering attacks. The issue arises from insufficient HTML encoding of untrusted input before inclusion in HTML email content. * **Identifier** : SBA-ADV-20251120-01 * **Type of Vulnerability** : HTML Injection * **Software/Product Name** : [GoAnywhere MFT](https://www.goanywhere.com/products/goanywhere-mft) * **Vendor** : [Fortra](https://www.fortra.com/) * **Affected Versions** : <= 7.9.1 * **Fixed in Version** : 7.10.0 * **CVE ID** : CVE-2026-0972 * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N * **CVSS Base Score** : 5.4 (Medium) ## Vendor Description ##
GoAnywhere Managed File Transfer is a comprehensive managed file transfer solution that will manage your organization’s file transfer software, file sharing, secure FTP, and automation needs through a single interface.
Source: <https://www.goanywhere.com/products/goanywhere-mft> ## Impact ## Attackers can abuse the email templating functionality by injecting malicious content into template variables, resulting in HTML injection in outgoing emails. ## Vulnerability Description ## It is possible to manipulate HTML emails generated via the "Send Email" functionality if an attacker is able to control the content of a template variable. User-supplied data inserted into the email body is not properly HTML-encoded, and there is no option to enforce encoding for variables during email template configuration.  As a result, an attacker can inject arbitrary HTML content into outgoing emails. Since these emails are sent by the legitimate mail server and therefore appear to originate from a trusted sender, recipients are more likely to trust their contents. An attacker could, for example, insert links that redirect users to a phishing website designed to capture credentials or other sensitive information, or to deliver further malicious content. This vulnerability can therefore be used to conduct effective phishing or social engineering attacks leveraging the trust relationship between the application and its users. ## Proof of Concept ## 1. Configure an "Upload Successful" trigger: Set up an automation rule or workflow that is triggered whenever a user uploads a file in the application [1]. This trigger should fire on each successful upload and proceed to execute the subsequent action. 2. Attach the "Send Email" functionality to the trigger: Add a "Send Email" action that is executed whenever the "Upload Successful" trigger fires. Configure this action to send an HTML email to an internal recipient (for example, a support or operations mailbox) to notify them that a new file has been uploaded. [2] 3. Include the uploaded filename as a variable in the email template: In the HTML email template, insert the variable representing the uploaded filename into the email body, for example: A new file has been uploaded: ${VARIABLE_NAME}. The email will then be sent automatically to the internal recipient whenever a file is uploaded. 4. Upload a file with HTML special characters in the filename: Upload a file whose filename contains HTML markup instead of a normal, benign filename. For instance: `Please enter your password here: <a href='evil.site'>evil.site<a>.jpg`. Because the filename is treated as data but inserted directly into the HTML email without encoding, the HTML tags are preserved as-is. 5. Observe the manipulated HTML content in the received confirmation email: When the internal recipient receives the confirmation email, the filename variable will be rendered as part of the HTML content. Instead of displaying the raw text of the filename, the email client interprets the injected HTML: the phishing link appears as a clickable hyperlink. This demonstrates that attacker-controlled input can manipulate the structure and content of outgoing HTML emails, enabling the injection of malicious links and other HTML elements into messages that appear to come from a trusted internal system. ## Recommended Countermeasures ## We recommend updating to GoAnywhere MFT version 7.10.0 or later. GoAnywhere MFT should not allow unencoded HTML special characters from user provided sources in email output and instead apply correct encoding according to the output context. For example, when displaying the content within an HTML email, HTML encoding must be performed before the untrusted data is displayed. ## Timeline ## * `2025-10-19` Identified the vulnerability in version 7.8.3 Build 7 * `2025-12-01` First contact with Fortra support team * `2025-12-12` Disclosed vulnerability to Fortra support team and started our 90 day disclosure timeline * `2026-01-20` Vulnerability was assigned CVE-2026-0972 by Fortra * `2026-03-18` Disclosure timeline extended due to promised fix with release 7.10 at the end of March * `2026-04-07` Disclosure timeline extended again due to delayed release * `2026-04-20` Fortra published a fix with release 7.10 * `2026-04-23` Public disclosure ## References ## 1. GoAnywhere MFT Triggers: <https://www.goanywhere.com/products/goanywhere-mft/automation/triggers> 2. GoAnywhere MFT Email Connectivity: <https://www.goanywhere.com/products/goanywhere-mft/connectivity/email> 3. Vendor Security Advisory: <https://www.fortra.com/security/advisories/product-security/fi-2026-006> ## Credits ## * Philipp Schweinzer ([SBA Research](https://www.sba-research.org/)) The discovery of this vulnerability was made possible through support from [CYSSDE](https://cyssde.eu/) and the European Union.  -----BEGIN PGP SIGNATURE----- iQJPBAEBCAA5FiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmnqfbcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMiwxAAoJEPu4hi9Y93WyzUwP/R71yiNhsJF2yZMNqxEx wPSH2FKSSMC2AU+nV7ukYpbfK0APhq/8NLOXG6jXpmXH1F5pmWvoPdVQeGQinqef dGH19oe7Wd+lhBEK5icO10L6NNEGyxy+gev21Kbykf6+wrMzJz+ICjpyMBdi/4zV YaiIlprrtCtTylSTBUMV9fXqcj1HKWWtWTDObXI9JgvGh4IfYzNrV6AgfGv6GvIJ gSKHSmVvCmd1WWQMA/JiuEBCpgCeJIXcApKK+vuxmduh4fGRnpcWc0LxCb82ny+O /qOdYOt+nSvwEttVBARYS1d+uMYfLiiWYNZD3g84o8VAaelR9AT9NeCkOUPhEGAd xbM9A+Y46HqdPt0mJQ81bPi938r6Xruvg3rAw4JoQSV8/VCtzWmicIiLsVZJNRdb CVDgCX8tg8gpMlzcssmnNUrpsBolb3ovxiBVj1SXfi1c/ln6FWbvnnjNYBmkWPSg QUK/m7ZgKFuNCqf6z8gBK7jOtK2Bv7OiMZ4s+gVEuNRYFFZOoQn9DtnWgAUcSbI5 3l0I56qPNgWqWUG3AwnP6P24x/6qjOn3jyLo5CKONd1NeGyIe1XL44Xh6I2B5hou C4qkUGB67wNS/wQwDUuEdlo62TLGnd48N9dG8VGzw+AI9DBR0DXjFvvlLfz5cQ5q xg2FGsgh2xDnCa3KBno+0HOr =2+hu -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [SBA-ADV-20251120-01] CVE-2026-0972: GoAnywhere MFT Email HTML Injection SBA Research Security Advisory via Fulldisclosure (Apr 29)
