In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NConnectwise Professional Service Automation
APPConnectwise< 2026.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
Related vulnerabilities
CVE-2026-0695HIGH8.7ten sam produkt
In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be re...
CVE-2025-7204MEDIUM6.5ten sam produkt
In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain acc...
CVE-2024-1709CRITICAL10.0⚠ KEVPL ✓ten sam vendor
Authentication Bypass w ConnectWise ScreenConnect — bezpośredni dostęp do systemów
CVE-2017-18362CRITICAL9.8⚠ KEVten sam vendor
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote comm...
CVE-2025-14265CRITICAL9.1PL ✓ten sam vendor
ConnectWise ScreenConnect — instalacja niezaufanych rozszerzeń z RCE