Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Stored XSS in ConnectWise PSA Time Entry Audit Trail notes (pre-2026.1)

IdentifiersCVE-2026-0695CWE-79· Improper Neutralization of Input…

CVE-2026-0695 is a stored cross-site scripting vulnerability in ConnectWise Professional Services Automation (PSA) affecting versions older than 2026.1. Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this allows attacker-supplied script content embedded in a Time Entry note to be stored and later executed in the context of a victim user’s browser (or PSA client rendering context) when the affected audit-trail content is displayed.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables execution of arbitrary script in the context of the victim’s PSA session when viewing the crafted Time Entry Audit Trail entry. This can lead to theft of sensitive data accessible to the victim, unauthorized actions performed as the victim within PSA, and (per the associated advisory context) can be chained with non-HttpOnly session cookies (CVE-2026-0696) to facilitate session hijacking/account takeover. CVSS v3.1 vector provided: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible: restrict which users/roles can create or modify Time Entry notes; review and remove suspicious Time Entry note content where feasible; apply compensating controls such as stricter Content Security Policy (if supported by the deployment) and enhanced monitoring/detection for anomalous client-side activity when users view Time Entry Audit Trail entries.

Remediation

Patch, then assume compromise.

Upgrade/patch ConnectWise PSA to 2026.1 or later (ConnectWise PSA 2026.1 updates input handling/output encoding for the affected Time Entry note rendering). Ensure desktop clients are updated where applicable; cloud instances are stated to be automatically updated.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ConnectwiseProfessional Service Automationapplication
ConnectwisePsaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
security online infoNews
Jan 19, 2026
Fake Malwarebytes Campaign Exploits DLL Sideloading to Drop Infostealers

Unknown (only referenced as a high-severity XSS flaw patched in ConnectWise PSA 2026.1; no technical details provided in the content).

Read more
security online infoNews
Jan 19, 2026
CVE-2026-0695: High-Severity XSS Flaw Patched in ConnectWise PSA 2026.1

A high-severity stored cross-site scripting (XSS) vulnerability in ConnectWise PSA time entry note handling that allows malicious scripts to be stored and executed when viewed by other users (including high-privilege roles).

Read more
security online infoNews
Jan 19, 2026
DragonForce: The Rise of a New "Ransomware Cartel" Built on LockBit and Conti DNA

A high-severity cross-site scripting (XSS) vulnerability in ConnectWise PSA (noted as patched in version 2026.1).

Read more
cvefeed high severityNews
Jan 16, 2026
CVE-2026-0695 - Stored XSS in Time Entry Audit Trail

A stored cross-site scripting (XSS) vulnerability in ConnectWise PSA (versions prior to 2026.1) where insufficient output encoding of Time Entry Audit Trail notes can allow injected script to execute in a user’s browser when viewing the affected content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-0695
NVD
nvd.nist.gov/vuln/detail/CVE-2026-0695
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Vendor Advisory
connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
themissinglink.com.au
themissinglink.com.au/security-advisories/cve-2026-0695