CVE-2026-0695 is a stored cross-site scripting (XSS) vulnerability identified in ConnectWise PSA, a widely used professional services automation platform. The vulnerability exists in all versions prior to 2026.1 and stems from improper neutralization of input during web page generation, specifically in the rendering of Time Entry notes stored in the Time Entry Audit Trail. When these notes are displayed, certain content is not properly output encoded, allowing an attacker with authenticated access to inject malicious JavaScript code. This script executes in the context of the victim user's browser when they view the affected content, potentially leading to session hijacking, credential theft, or unauthorized actions within the PSA application. The CVSS 3.1 base score of 8.7 reflects a high severity due to the network attack vector, low attack complexity, requirement for privileges and user interaction, and the impact on confidentiality and integrity with no availability impact. The vulnerability’s scope is changed (S:C), meaning the exploit can affect resources beyond the vulnerable component. Although no public exploits have been reported yet, the vulnerability’s presence in a critical IT management tool makes it a significant risk. The flaw is categorized under CWE-79, which is a common and dangerous web application security issue. The lack of a patch link in the provided data suggests that organizations must monitor ConnectWise advisories closely for the official update. Attackers could leverage this vulnerability to compromise user sessions and escalate privileges within the PSA environment, potentially impacting the confidentiality of sensitive client and operational data.

For European organizations, the impact of CVE-2026-0695 is substantial due to the critical role ConnectWise PSA plays in managing IT services, projects, and client interactions. Exploitation could lead to unauthorized access to sensitive business data, manipulation of service records, and compromise of user credentials. This can disrupt service delivery, damage client trust, and lead to regulatory compliance issues under GDPR due to potential data breaches. The vulnerability’s ability to execute scripts in users’ browsers can facilitate further attacks such as phishing or lateral movement within corporate networks. Organizations with large IT service operations or managed service providers (MSPs) using ConnectWise PSA are at heightened risk. The confidentiality and integrity impacts could result in financial losses, reputational damage, and operational disruptions. Given the interconnected nature of IT service management, a successful attack could cascade to affect multiple clients and partners across Europe.

Immediate mitigation requires upgrading ConnectWise PSA to version 2026.1 or later once the patch is available. Until then, organizations should restrict access to the Time Entry Audit Trail feature to trusted users only and implement strict input validation and output encoding on any custom scripts or integrations interacting with Time Entry notes. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor logs for unusual activity related to Time Entry notes and audit trails, focusing on unexpected script injections or anomalous user behavior. Conduct user awareness training to recognize potential phishing attempts that could exploit this vulnerability. Additionally, consider deploying web application firewalls (WAFs) with rules targeting XSS patterns specific to ConnectWise PSA. Regularly review and update security policies to include this vulnerability and ensure rapid response capabilities for any detected exploitation attempts.