Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (ivanti) · only source for this CVE.
CVSS VectorVendor: ivanti
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Path traversal in Ivanti Xtraction before version 2026.2.1 allows a remote authenticated attacker to read arbitrary files outside the web root.
AnalysisAI
Arbitrary file disclosure in Ivanti Xtraction before 2026.2.1 lets a remote, authenticated attacker traverse outside the application's web root and read sensitive files from the underlying host. The CVSS 3.1 score of 7.7 reflects a scope change (S:C), meaning the impact reaches beyond the web application into the host filesystem, though only confidentiality is affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Inventory all Ivanti Xtraction deployments and document versions in use; establish real-time alerting on Xtraction authentication logs for anomalous access patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43684
GHSA-9jjf-4p7p-4qv4