Ivanti N-ITSM Stored XSS lets attackers steal session data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

Ivanti N-ITSM Stored XSS lets attackers steal session data

CVE-2026-4914

Summary

Ivanti N-ITSM versions before 2025.4 contain a security weakness that lets an attacker who has already logged in to the system steal information from other users' sessions. This requires the attacker to trick a user into clicking on a link or opening a malicious email. To stay safe, update to version 2025.4 or later.

Original title

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.

Original description

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.

nvd CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2...

Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026