VYPR

Vendor CVEs

Fortra

All CVEs

39 total · sorted by risk
  • CVE-2026-9862CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.01

    Fortra's  Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the…

  • CVE-2025-8450HigAug 19, 2025
    risk 0.53cvss 8.2epss 0.00

    Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.

  • CVE-2024-5275HigJun 18, 2024
    risk 0.51cvss 7.8epss 0.00

    A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack…

  • CVE-2026-9863HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.01

    Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be…

  • CVE-2025-14362HigApr 21, 2026
    risk 0.47cvss 7.3epss 0.00

    The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

  • CVE-2024-6769MedSep 26, 2024
    risk 0.45cvss 6.7epss 0.01

    A DLL Hijacking caused by drive remapping combined with a poisoning of the activation cache in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated attacker to elevate from a medium integrity process…

  • CVE-2026-1089MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.

  • CVE-2025-13532MedDec 16, 2025
    risk 0.40cvss 6.2epss 0.00

    Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms.  This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.

  • CVE-2025-1241MedApr 21, 2026
    risk 0.38cvss 5.8epss 0.00

    Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

  • CVE-2025-5141MedJun 17, 2025
    risk 0.36cvss 5.5epss 0.00

    A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and…

  • CVE-2024-11923MedJan 18, 2025
    risk 0.36cvss 5.5epss 0.00

    Under certain log settings the IAM or CORE service will log credentials in the iam logfile in Fortra Application Hub (Formerly named Helpsystems One) prior to version 1.3

  • CVE-2026-0972MedApr 21, 2026
    risk 0.35cvss 5.4epss 0.00

    HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.

  • CVE-2025-3871MedJul 16, 2025
    risk 0.34cvss 5.3epss 0.00

    Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this…

  • CVE-2024-9945MedDec 13, 2024
    risk 0.34cvss 5.3epss 0.00

    An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders.

  • CVE-2026-0971MedApr 21, 2026
    risk 0.28cvss 4.3epss 0.00

    An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.

  • CVE-2024-3334MedNov 15, 2024
    risk 0.28cvss 4.3epss 0.00

    A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. This allows a user to circumvent encryption controls by modifying metadata on the USB device thereby compromising the…

  • CVE-2025-10035KEVSep 18, 2025
    risk 0.23cvss epss 1.00

    A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

  • CVE-2023-0669KEVFeb 6, 2023
    risk 0.22cvss epss 1.00

    Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

  • CVE-2024-5276Jun 25, 2024
    risk 0.10cvss epss 0.90

    A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not…

  • CVE-2024-0204Jan 22, 2024
    risk 0.10cvss epss 0.95

    Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

  • CVE-2024-25153Mar 13, 2024
    risk 0.07cvss epss 0.42

    A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s…

  • CVE-2026-12164Jun 23, 2026
    risk 0.00cvss epss 0.00

    Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles…

  • CVE-2026-12163Jun 23, 2026
    risk 0.00cvss epss 0.00

    Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or…

  • CVE-2025-8148Dec 5, 2025
    risk 0.00cvss epss 0.00

    An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

  • CVE-2024-11922Apr 28, 2025
    risk 0.00cvss epss 0.00

    Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.

  • CVE-2025-0049Apr 28, 2025
    risk 0.00cvss epss 0.00

    When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0.

  • CVE-2024-8264Oct 9, 2024
    risk 0.00cvss epss 0.00

    Fortra's Robot Schedule Enterprise Agent prior to version 3.05 writes FTP username and password information to the agent log file when detailed logging is enabled.

  • CVE-2024-6632Aug 27, 2024
    risk 0.00cvss epss 0.01

    A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability.

  • CVE-2024-6633Aug 27, 2024
    risk 0.00cvss epss 0.01

    The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only…

  • CVE-2024-25157Aug 14, 2024
    risk 0.00cvss epss 0.01

    An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.

  • CVE-2024-0259Mar 28, 2024
    risk 0.00cvss epss 0.00

    Fortra's Robot Schedule Enterprise Agent for Windows prior to version 3.04 is susceptible to privilege escalation. A low-privileged user can overwrite the service executable. When the service is restarted, the replaced binary runs with local system privileges, allowing a…

  • CVE-2024-25156Mar 14, 2024
    risk 0.00cvss epss 0.00

    A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.

  • CVE-2024-25155Mar 13, 2024
    risk 0.00cvss epss 0.00

    In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script…

  • CVE-2024-25154Mar 13, 2024
    risk 0.00cvss epss 0.00

    Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.  

  • CVE-2023-6253Nov 22, 2023
    risk 0.00cvss epss 0.00

    A saved encryption key in the Uninstaller in Digital Guardian's Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.

  • CVE-2021-26837Sep 18, 2023
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in SearchTextBox parameter in Fortra (Formerly HelpSystems) DeliverNow before version 1.2.18, allows attackers to execute arbitrary code, escalate privileges, and gain sensitive information.

  • CVE-2023-2991Jun 22, 2023
    risk 0.00cvss epss 0.01

    Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message

  • CVE-2023-2990Jun 22, 2023
    risk 0.00cvss epss 0.01

    Fortra Globalscape EFT versions before 8.1.0.16 suffer from a denial of service vulnerability, where a compressed message that decompresses to itself can cause infinite recursion and crash the service

  • CVE-2023-2989Jun 22, 2023
    risk 0.00cvss epss 0.01

    Fortra Globalscape EFT versions before 8.1.0.16 suffer from an out of bounds memory read in their administration server, which can allow an attacker to crash the service or bypass authentication if successfully exploited