CVE-2026-1089
Received
Received - Intake
User-Controlled HTTP Header DNS Rebinding in GoAnywhere MFT
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: Fortra
Description
Description
User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortra | goanywhere_managed_file_transfer | to 7.10.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Fortra's GoAnywhere MFT software versions prior to 7.10.0. It involves a user-controlled HTTP header that allows attackers to trigger a DNS lookup. This can lead to DNS Rebinding attacks and information disclosure.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to perform DNS lookups and DNS Rebinding attacks, which may result in unauthorized information disclosure. This could potentially expose sensitive data or allow attackers to bypass security controls.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70