"The first bug, tracked as CVE-2026-4913 (CVSS score of 5.7), is described as the improper protection of an alternate path. It could allow a remote authenticated attacker to retain access when their account has been disabled."
"The second flaw, CVE-2026-4914 (CVSS score of 5.4), is described as a stored cross-site scripting (XSS) issue that can be abused remotely to obtain limited information from other user sessions. Successful exploitation of the weakness requires authentication and user interaction."
"No action is required for customers using the cloud solution as the fix was applied to all cloud environments on 12 December 2025. Ivanti is not aware of either of these vulnerabilities being exploited in the wild."
Ivanti updated Neurons for ITSM to address two medium-severity vulnerabilities, CVE-2026-4913 and CVE-2026-4914. CVE-2026-4913 allows remote authenticated attackers to retain access after account disablement. CVE-2026-4914 is a stored cross-site scripting issue that requires authentication and user interaction to exploit. Both vulnerabilities were fixed in version 2025.4, and users are urged to update promptly. The cloud solution was automatically patched on December 12, 2025. No exploitation of these vulnerabilities has been reported, and other Ivanti products remain unaffected.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]