Description
Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.
Published: 2026-04-14
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting leading to limited data disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Ivanti Neurons for ITSM, present in all releases before version 2025.4. A malicious authenticated user can inject JavaScript that is later rendered in the browser for other users’ sessions. The injected code runs with the privileges of the victim user, enabling the attacker to read restricted session information and thereby compromise confidentiality. This behavior is classified as CWE‑79.

Affected Systems

Affected components include the cloud and on‑premise editions of Ivanti Neurons for ITSM. Versions prior to 2025.4 are impacted, meaning any organization using an older deployment faces the same risk unless upgraded.

Risk and Exploitability

The CVSS score is 5.4, indicating medium severity, while EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers would need remote authenticated access and user interaction to trigger the payload, reducing the immediacy compared to an unauthenticated exploit. However, a single compromised account could repeatedly affect many users once the stored payload is inserted.

Generated by OpenCVE AI on April 14, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Ivanti Neurons for ITSM upgrade to version 2025.4 or later.

Generated by OpenCVE AI on April 14, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stored XSS in Ivanti N-ITSM Leads to Session Information Disclosure

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti neurons For Itsm
Vendors & Products Ivanti
Ivanti neurons For Itsm

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ivanti Neurons For Itsm
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-04-14T17:20:09.361Z

Reserved: 2026-03-26T16:37:45.229Z

Link: CVE-2026-4914

cve-icon Vulnrichment

Updated: 2026-04-14T17:20:03.289Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:39.750

Modified: 2026-04-14T15:16:39.750

Link: CVE-2026-4914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:24Z

Weaknesses