ConnectWise PSA 2026.1 Security Fix Date: 1/15/2026 Product(s): ConnectWise PSA Severity: Important Priority: 2 - Moderate Summary In ConnectWise PSA versions prior to 2026.1, one condition in Time Entry note handling could permit stored script execution in both the PSA web client and PSA Desktop, and a separate condition could allow client-side access to certain session cookies. The PSA 2026.1 release updates input handling and session cookie configuration to address these issues, and we recommend upgrading to the latest available version. Vulnerability CVE-2026-0695 - CWE ID: CWE-79 - Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Base Score: 8.7 - Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE-2026-0696 - CWE ID: CWE-668 - Description: Exposure of Resource to Wrong Sphere ('Resource Injection') - Base Score: 4.7 - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Recommended Severity 2 - Moderate: Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g. within days). Affected Versions All versions prior to 2026.1 Remediation Cloud - Cloud instances are automatically being updated to the latest ConnectWise PSA release. On-premise - Apply the 2026.1 release patches and ensure all desktop clients are up to date.