Skip to main content

Ivanti Xtraction CVE-2026-8043

| EUVDEUVD-2026-29487 CRITICAL
External Control of File Name or Path (CWE-73)
2026-05-12 ivanti GHSA-w9px-xqr4-32j9
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 15:30 vuln.today
CVE Published
May 12, 2026 - 14:11 nvd
CRITICAL 9.6

DescriptionCVE.org

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

AnalysisAI

Path traversal in Ivanti Xtraction enables remote authenticated attackers with low-level privileges to read sensitive system files and inject arbitrary HTML into web-accessible directories, creating risks of credential theft, configuration exposure, and client-side attacks against other users. CVSS 9.6 severity driven by scope change (S:C) indicates the attacker can impact resources beyond the vulnerable component. No public exploit or CISA KEV listing identified, but vendor advisory confirms the vulnerability affects all versions prior to 2026.2.

Technical ContextAI

This vulnerability stems from CWE-73 (External Control of File Name or Path), commonly known as path traversal or directory traversal. Ivanti Xtraction, a data extraction and transformation platform, fails to properly sanitize user-supplied file path input from authenticated users. The CVSS vector AV:N indicates the vulnerable functionality is exposed over the network, likely through a web interface or API endpoint. The attacker can manipulate file path parameters to escape intended directory boundaries using sequences like '../' to read files outside the application's designated data directory, and also write HTML content to the web root. The scope change indicator (S:C) suggests successful exploitation allows the attacker to affect confidentiality and integrity of resources managed under different security authorities than the vulnerable component itself.

RemediationAI

Upgrade Ivanti Xtraction to version 2026.2 or later as specified in the vendor security advisory at https://hub.ivanti.com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043?language=en_US. If immediate patching is not feasible, implement compensating controls: restrict network access to Xtraction web interfaces using firewall rules or VPN-only access to reduce attack surface (trade-off: impacts remote workflow); enforce principle of least privilege by auditing and removing unnecessary user accounts, especially those with file upload/download permissions (trade-off: may require access request processes); enable comprehensive file access logging and monitor for suspicious path traversal patterns in request parameters such as '../' sequences or absolute paths (trade-off: increases log volume and requires SIEM integration). Deploy web application firewall (WAF) rules to block common path traversal payloads in HTTP parameters, though sophisticated attackers may bypass signature-based detection. Note that compensating controls only reduce risk and cannot fully mitigate the vulnerability-patching to 2026.2 is the definitive solution.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-8043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy