Description

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

Related CPE's

a

connectwise

professional_service_automation

Vulnerable

References

https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix

Vendor Advisory

Weaknesses

7d616e1a-3288-43b1-a0dd-0a65d3e70a49

Secondary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

8.7 · High

Information

Source identifier

7d616e1a-3288-43b1-a0dd-0a65d3e70a49

Vulnerability status

Analyzed

Published

2026-01-16T14:15:54.793Z

1 month ago

Last modified

2026-01-23T16:47:38.243Z

3 weeks ago