Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.
AnalysisAI
Stored cross-site scripting (XSS) in Ivanti Neurons for ITSM (on-premise and cloud) before version 2025.4 allows authenticated remote attackers to inject malicious scripts that execute in other users' sessions, enabling limited information disclosure. User interaction is required to trigger the vulnerability. No public exploit code or active exploitation has been identified.
Technical ContextAI
The vulnerability exploits improper input validation and output encoding in the Ivanti Neurons for ITSM application, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Stored XSS occurs when attacker-controlled data is persisted in the application's backend and later rendered in victims' browsers without sanitization, allowing arbitrary JavaScript execution within the security context of the ITSM application. This affects both on-premise deployments (cpe:2.3:a:ivanti:neurons_for_itsm_(on-premise)) and cloud-hosted instances (cpe:2.3:a:ivanti:neurons_for_itsm_(cloud)), indicating the flaw is present in the core application logic rather than deployment-specific configurations.
RemediationAI
Vendor-released patch: Upgrade Ivanti Neurons for ITSM to version 2025.4 or later. Both on-premise and cloud deployments must be updated. Organizations unable to patch immediately should implement input validation controls at the application layer and restrict access to ITSM functions to trusted users with verified credentials. Additionally, deploy content security policy (CSP) headers and output encoding mechanisms to mitigate XSS payload execution. Refer to the official Ivanti security advisory at https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US for patch deployment guidance.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22280