Petar Sever

**Name of the Vulnerable Software and Affected Versions** ConnectWise PSA versions prior to 2026.1 **Description** ConnectWise PSA versions older than 2026.1 may allow stored script code to execute in a user’s browser. This occurs because Time Entry notes stored in the Time Entry Audit Trail are rendered without proper output encoding for certain content. Under specific conditions, this can lead to the execution of script code within the context of a user’s browser when the affected content is displayed. **Recommendations** Update to version 2026.1.

**Name of the Vulnerable Software and Affected Versions** ConnectWise PSA versions prior to 2026.1 **Description** Certain session cookies were not configured with the HttpOnly attribute in affected versions. This could potentially allow client-side scripts to access session cookie values. **Recommendations** Update to version 2026.1 or later.