CVE-2026-0695
Published: 16 January 2026
Summary
CVE-2026-0695 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Connectwise Professional Service Automation. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates filtering and encoding of information output, such as Time Entry notes in the Audit Trail, to prevent execution of stored malicious scripts in users' browsers.
Requires validation of user inputs like Time Entry notes to detect and reject malicious script content before storage in the Audit Trail.
Ensures timely identification, reporting, and remediation of flaws like the output encoding deficiency fixed in ConnectWise PSA version 2026.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser script execution for session hijacking and web cookie theft as described.
NVD Description
In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the…
more
context of a user’s browser when the affected content is displayed.
Deeper analysisAI
CVE-2026-0695 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting ConnectWise PSA versions older than 2026.1. The flaw occurs in the Time Entry Audit Trail, where Time Entry notes are rendered without applying output encoding to certain content. Under specific conditions, this allows stored script code to execute in the context of a user's browser when the affected content is displayed. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality and integrity impacts.
Exploitation requires an attacker to have low privileges (PR:L), such as a legitimate user with the ability to create or edit Time Entry notes. The attacker injects malicious script into these notes, which are then stored in the Audit Trail. A victim user must interact by viewing the affected Audit Trail content (UI:R), triggering script execution in their browser context. This achieves high confidentiality and integrity effects (C:H/I:H) with a changed scope (S:C), potentially allowing session hijacking, data theft, or unauthorized actions on the victim's behalf.
ConnectWise addressed the issue with a security fix in PSA version 2026.1, as detailed in their security bulletin at https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix. Additional guidance is available in the advisory from The Missing Link at https://www.themissinglink.com.au/security-advisories/cve-2026-0695. Practitioners should prioritize upgrading affected instances and review these resources for full mitigation details.
Details
- CWE(s)