CVE-2026-0695

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.
Configurations

Configuration 1 (hide)

cpe:2.3:a:connectwise:professional_service_automation:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:11

Type Values Removed Values Added
Summary
  • (es) En versiones de ConnectWise PSA anteriores a 2026.1, las notas de entrada de tiempo almacenadas en la Pista de Auditoría de Entrada de Tiempo pueden ser renderizadas sin aplicar codificación de salida a cierto contenido. Bajo condiciones específicas, esto puede permitir que código de script almacenado se ejecute en el contexto del navegador de un usuario cuando el contenido afectado se muestra.

27 Jan 2026, 13:15

Type Values Removed Values Added
References
  • () https://www.themissinglink.com.au/security-advisories/cve-2026-0695 -

23 Jan 2026, 16:47

Type Values Removed Values Added
References () https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix - () https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix - Vendor Advisory
First Time Connectwise professional Service Automation
Connectwise
CPE cpe:2.3:a:connectwise:professional_service_automation:*:*:*:*:*:*:*:*

16 Jan 2026, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2026-01-16 14:15

Updated : 2026-06-17 10:11


NVD link : CVE-2026-0695

Mitre link : CVE-2026-0695

CVE.ORG link : CVE-2026-0695


JSON object : View

Products Affected

connectwise

  • professional_service_automation
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')