CVE-2026-4914 PUBLISHED

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.

• https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US

• CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE

• CAPEC-592 Stored XSS