CVE-2026-0695
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in ConnectWise PSA's Time Entry Audit Trail feature. Attackers can inject malicious scripts into time entry notes that execute in users' browsers when viewing audit trails. All organizations using vulnerable ConnectWise PSA versions are affected.
💻 Affected Systems
- ConnectWise PSA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Attackers with access to create time entries could inject scripts that steal session data or perform unauthorized actions when other users view audit trails.
If Mitigated
With proper input validation and output encoding, scripts would be rendered as harmless text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to create/modify time entries. The vulnerability is in how stored content is rendered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.1 or later
Vendor Advisory: https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
Restart Required: Yes
Instructions:
1. Backup your ConnectWise PSA instance. 2. Apply the ConnectWise PSA 2026.1 update. 3. Restart the application services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Time Entry Notes
allTemporarily disable or restrict time entry note functionality to prevent injection.
Implement WAF Rules
allConfigure web application firewall to block XSS patterns in time entry data.
🧯 If You Can't Patch
- Restrict user permissions for creating/modifying time entries to trusted personnel only
- Implement content security policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check ConnectWise PSA version in administration panel. If version is older than 2026.1, system is vulnerable.Check Version:
Check version in ConnectWise PSA web interface under Help > About or administration panel.Verify Fix Applied:
After patching, verify version shows 2026.1 or later. Test by attempting to inject script tags in time entry notes and confirming they are properly encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual time entry modifications
- Script tags or JavaScript patterns in time entry audit logs
- Multiple failed XSS attempts in logs
Network Indicators:
- Unexpected outbound connections from user browsers after viewing time entries
- Data exfiltration patterns
SIEM Query:
source="connectwise_psa" AND (event_type="time_entry_modification" AND (data CONTAINS "<script>" OR data CONTAINS "javascript:"))