ConnectWise PSA 2026.1 Security Fix
Date: 1/15/2026
Product(s): ConnectWise PSA
Severity: Important
Priority: 2 – Moderate
Summary
In ConnectWise PSA versions prior to 2026.1, one condition in Time Entry note handling could permit stored script execution in both the PSA web client and PSA Desktop, and a separate condition could allow client-side access to certain session cookies. The PSA 2026.1 release updates input handling and session cookie configuration to address these issues, and we recommend upgrading to the latest available version.
Vulnerability
CVE-2026-0695
| CWE ID | Description | Base Score | Vector |
|---|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 8.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
CVE-2026-0696
| CWE ID | Description | Base Score | Vector |
|---|---|---|---|
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Severity
Important — Vulnerabilities that could compromise confidential data or other resources but require additional access, privilege or circumstances to do so.
Priority
2 – Moderate — Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g. within days).
Affected versions
All versions prior to 2026.1
Remediation
Cloud
Cloud instances are automatically being updated to the latest ConnectWise PSA release.
On-premise
Apply the 2026.1 release patches and ensure all desktop clients are up to date.