CVE-2026-0695 Overview
CVE-2026-0695 is a stored Cross-Site Scripting (XSS) vulnerability affecting ConnectWise PSA versions older than 2026.1. The vulnerability exists in the Time Entry Audit Trail feature, where Time Entry notes may be rendered without proper output encoding applied to certain content. Under specific conditions, this allows attackers to inject malicious script code that executes in the context of a victim's browser when the affected content is displayed.
Critical Impact
This stored XSS vulnerability could allow authenticated attackers to execute arbitrary JavaScript in the browsers of other users accessing the Time Entry Audit Trail, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users.
Affected Products
- ConnectWise PSA versions prior to 2026.1
Discovery Timeline
- 2026-01-15 - ConnectWise releases security bulletin and patch
- 2026-01-16 - CVE-2026-0695 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-0695
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw occurs in the Time Entry Audit Trail functionality of ConnectWise PSA, where user-supplied content in Time Entry notes is stored in the database and later rendered to other users without sufficient output encoding.
Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users over time. In this case, any user viewing the Time Entry Audit Trail containing the injected content would have the malicious script execute in their browser session with their privileges.
The network-based attack vector combined with the requirement for user interaction (viewing the affected content) and low authentication requirements (authenticated user can inject the payload) creates a scenario where the vulnerability can be exploited to target other authenticated users of the PSA platform.
Root Cause
The root cause of this vulnerability is insufficient output encoding when rendering Time Entry notes within the Audit Trail view. When user-controlled data is displayed back to users without proper HTML entity encoding or context-aware escaping, any embedded script tags or JavaScript event handlers can be interpreted by the browser as executable code rather than displayable text.
Attack Vector
An authenticated attacker with permissions to create or modify Time Entry notes can inject malicious JavaScript code into the note content. When other users access the Time Entry Audit Trail and the affected entry is rendered, the injected script executes within their browser session. This could enable attackers to:
- Steal session tokens or authentication cookies
- Perform actions on behalf of the victim user
- Redirect users to malicious websites
- Capture keystrokes or form data
- Modify displayed content to deceive users
The vulnerability requires the attacker to be authenticated to the ConnectWise PSA platform and have the ability to create or edit Time Entry notes. The victim must then view the compromised Audit Trail entry for the attack to succeed.
Detection Methods for CVE-2026-0695
Indicators of Compromise
- Unusual JavaScript or HTML tags present in Time Entry note content (e.g., <script>, <img onerror>, <svg onload>)
- Time Entry notes containing event handler attributes or encoded script content
- Unexpected network requests originating from the ConnectWise PSA application to external domains
- User reports of unusual browser behavior when viewing Time Entry Audit Trail
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Review Time Entry notes and Audit Trail entries for suspicious HTML/JavaScript content patterns
- Monitor web application logs for unusual input patterns in Time Entry-related endpoints
- Deploy browser-based detection mechanisms to identify XSS payload execution attempts
Monitoring Recommendations
- Enable detailed logging for all Time Entry creation and modification events
- Monitor for anomalous session activity following user access to Time Entry Audit Trail pages
- Implement alerting for CSP violation reports if Content Security Policy is deployed
- Review audit logs for Time Entry notes containing potential XSS payload patterns
How to Mitigate CVE-2026-0695
Immediate Actions Required
- Upgrade ConnectWise PSA to version 2026.1 or later immediately
- Review existing Time Entry notes for potentially malicious content
- Educate users about the risks of accessing Time Entry Audit Trail until the patch is applied
- Consider implementing additional Content Security Policy headers as a defense-in-depth measure
Patch Information
ConnectWise has released a security fix addressing this vulnerability. Organizations running ConnectWise PSA versions older than 2026.1 should upgrade to the patched version as soon as possible. For detailed patch information and upgrade instructions, refer to the ConnectWise Security Bulletin.
Workarounds
- If immediate patching is not possible, consider restricting access to the Time Entry Audit Trail feature for non-essential users
- Implement Content Security Policy headers with strict script-src directives to mitigate potential XSS impact
- Deploy Web Application Firewall (WAF) rules to filter common XSS payload patterns in Time Entry input fields
- Enable input validation at the application layer to reject or sanitize HTML/JavaScript content in Time Entry notes
Organizations should prioritize patching as the primary mitigation strategy, as workarounds may not provide complete protection against all exploitation scenarios.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
