Fortra Goanywhere Mft
14 CVEs affecting Fortra Goanywhere Mft. Latest disclosed: 2026-04-21. Critical: 2, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-10035 | Critical | 10.0 | 2025-09-18 | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deseriali… |
CVE-2024-0204 | Critical | 9.8 | 2024-01-22 | Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. |
CVE-2025-14362 | High | 7.3 | 2026-04-21 | The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to l… |
CVE-2026-1089 | Medium | 6.5 | 2026-04-21 | User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Informati… |
CVE-2024-25157 | Medium | 6.5 | 2024-08-14 | An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission check… |
CVE-2024-25156 | Medium | 6.5 | 2024-03-14 | A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywh… |
CVE-2024-11922 | Medium | 6.3 | 2025-04-28 | Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emai… |
CVE-2025-1241 | Medium | 5.8 | 2026-04-21 | Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users t… |
CVE-2026-0972 | Medium | 5.4 | 2026-04-21 | HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were… |
CVE-2025-3871 | Medium | 5.3 | 2025-07-16 | Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere On… |
CVE-2024-9945 | Medium | 5.3 | 2024-12-13 | An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in ce… |
CVE-2026-0971 | Medium | 4.3 | 2026-04-21 | An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login… |
CVE-2025-8148 | Medium | 4.2 | 2025-12-05 | An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH… |
CVE-2023-0669 | | 2023-02-06 | Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserial… |