Xtraction
Monthly
Arbitrary file disclosure in Ivanti Xtraction before 2026.2.1 lets a remote, authenticated attacker traverse outside the application's web root and read sensitive files from the underlying host. The CVSS 3.1 score of 7.7 reflects a scope change (S:C), meaning the impact reaches beyond the web application into the host filesystem, though only confidentiality is affected. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS score was provided.
Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.
Arbitrary file disclosure in Ivanti Xtraction before 2026.2.1 lets a remote, authenticated attacker traverse outside the application's web root and read sensitive files from the underlying host. The CVSS 3.1 score of 7.7 reflects a scope change (S:C), meaning the impact reaches beyond the web application into the host filesystem, though only confidentiality is affected. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS score was provided.
Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.