CVE-2026-14903 PUBLISHED

Assigner: ivanti
Reserved: 06.07.2026 Published: 14.07.2026 Updated: 14.07.2026

Path traversal in Ivanti  Xtraction before version 2026.2.1 allows a remote authenticated attacker to read arbitrary files outside the web root.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 7.7

Product Status

Vendor ivanti
Product Xtraction
Versions Default: affected
  • Version 2026.2.1 is unaffected

References

Problem Types

  • CWE-23 Relative path traversal CWE

Impacts

  • CAPEC-126 Path Traversal