CVE-2026-0695 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, discovered in ConnectWise PSA software versions prior to 2026.1. The flaw is due to improper neutralization of input during web page generation, specifically in the rendering of Time Entry notes stored within the Time Entry Audit Trail. When certain content is entered into these notes, the application fails to apply appropriate output encoding, allowing embedded malicious scripts to execute in the context of a user's browser when viewing the affected content. This vulnerability requires an attacker to have authenticated access with privileges to create or modify Time Entry notes, and successful exploitation also requires user interaction to view the malicious content. The CVSS v3.1 base score is 8.7, indicating high severity, with vector metrics AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, meaning the attack can be launched remotely over the network with low complexity, requires low privileges and user interaction, and impacts confidentiality and integrity with a scope change. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk of session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. ConnectWise PSA is widely used by managed service providers and IT departments for professional services automation, making this vulnerability particularly relevant for organizations relying on this platform for operational management. The vulnerability was publicly disclosed on January 16, 2026, with no official patch links provided at the time, emphasizing the need for immediate vendor updates or mitigations.

For European organizations, the impact of CVE-2026-0695 can be substantial. ConnectWise PSA is commonly used by managed service providers (MSPs) and IT service organizations, which are critical for maintaining IT infrastructure and service delivery. Exploitation of this vulnerability could allow attackers to execute arbitrary scripts in the browsers of authenticated users, potentially leading to session hijacking, theft of sensitive information such as credentials or customer data, and unauthorized actions within the PSA platform. This could disrupt service management workflows, compromise client data confidentiality, and damage organizational reputation. Given the interconnected nature of MSPs and their clients, a successful attack could cascade, affecting multiple organizations across Europe. Furthermore, the vulnerability’s ability to affect confidentiality and integrity without impacting availability means attackers can stealthily compromise systems without immediate detection. The requirement for low privileges and user interaction lowers the bar for exploitation, increasing risk. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and critical infrastructure, face heightened compliance and operational risks if exploited.

To mitigate CVE-2026-0695, European organizations should prioritize upgrading ConnectWise PSA to version 2026.1 or later as soon as the vendor releases the patch. Until the patch is available, organizations should implement strict input validation and output encoding on all user-generated content fields, especially Time Entry notes, to prevent script injection. Restricting permissions to limit which users can create or modify Time Entry notes reduces the attack surface. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to recognize suspicious content and avoid interacting with untrusted inputs. Monitor logs for unusual activity related to Time Entry modifications and audit trail views. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting ConnectWise PSA. Regularly review and update security configurations and perform penetration testing focused on XSS vulnerabilities in the PSA environment. Finally, maintain an incident response plan to quickly address any suspected exploitation.