CVE-2026-14902 PUBLISHED

Assigner: ivanti
Reserved: 06.07.2026 Published: 14.07.2026 Updated: 14.07.2026

An open redirect in Ivanti Xtraction before version 2026.2.1 allows a remote unauthenticated attacker to redirect users to arbitrary external URLs.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVSS Score: 4

Product Status

Vendor ivanti
Product Xtraction
Versions Default: affected
  • Version 2026.2.1 is unaffected

References

Problem Types

  • CWE-601 URL redirection to untrusted site ('open redirect') CWE

Impacts

  • CAPEC-178 Cross-Site Flashing