Description
External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled file name reference in Ivanti Xtraction that allows a remote authenticated attacker to read arbitrary files on the server and to write any HTML file to a public web directory. This results in the disclosure of sensitive data and the possibility of client‑side attacks such as stored XSS. The weakness is classified as CWE‑73 – Improper Control of Generation of Files or Directories.

Affected Systems

All instances of Ivanti Xtraction released before version 2026.2 are affected. The issue applies to any deployment where authenticated users may interact with the web components of the application.

Risk and Exploitability

With a CVSS score of 9.6 the vulnerability is considered critical. The EPSS score is not available, but the issue requires a legitimate authenticated session to be exploited, indicating that it is exploitable by individuals who have valid credentials. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 12, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti Xtraction to version 2026.2 or later to eliminate the uncontrolled file name issue.
  • If an upgrade cannot be performed immediately, limit web access to the Xtraction directory and restrict authenticated users to those who truly need it.
  • Implement server‑side validation that rejects file names containing path‑traversal characters or directories outside of the designated upload area, and consider a web application firewall rule to block such requests.

Generated by OpenCVE AI on May 12, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ivanti:xtraction:*:*:*:*:*:*:*:*

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti xtraction
Vendors & Products Ivanti
Ivanti xtraction

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Remote Authenticated File Read and Arbitrary File Write via Unrestricted File Name in Ivanti Xtraction

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Ivanti Xtraction
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-12T15:44:12.334Z

Reserved: 2026-05-06T16:56:11.386Z

Link: CVE-2026-8043

cve-icon Vulnrichment

Updated: 2026-05-12T15:44:08.484Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T15:16:17.153

Modified: 2026-05-13T20:34:20.310

Link: CVE-2026-8043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:38:44Z

Weaknesses