User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups

FI-2026-005 - User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups

Severity

Medium

Published Date

21-Apr-2026

Updated Date

21-Apr-2026

Vulnerabilities

CVE-2026-1089

Notes

Description

User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.

Vulnerabilities

User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups

Severity

Medium

CVE

CVE-2026-1089

CWE

CWE-74:Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Discovery Date

17-Nov-2023

CSSv3.1

6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products

GoAnywhere MFT

Vulnerability Notes

Remediation: Vendor Fix

Upgrade to a remediated version (version 7.10.0 or later).

References

(https://www.cve.org/cverecord?id=CVE-2026-1089)

User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups

FI-2026-005 - User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups

Notes

Vulnerabilities

Vulnerability Notes

References

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Fortra AI Use

Impressum