CVE-2026-0696

Stored XSS In Time Entry Audit Trail In ConnectWise PSA

Discovered by Petar Sever on behalf of The Missing Link Security

Vulnerability Details

In ConnectWise PSA prior to 2026.1 certain session cookies do not set the HttpOnly attribute, potentially allowing client-side scripts to access them.

Affected Versions

Before 2026.1

Fixed Versions

Fixed in: 2026.1

Acknowledgement of Country

The Missing Link acknowledges the Traditional Owners of the land where we work and live. We pay our respects to Elders past, present and emerging. We celebrate the stories, culture and traditions of Aboriginal and Torres Strait Islanders of all communities who also work and live on this land.