VDB

GCVE-110-NCSC-2025-391

GCVE-110-NCSC-2025-391
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published December 11, 2025
A stored XSS vulnerability in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows remote unauthenticated attackers to execute arbitrary JavaScript in an administrator's session with user interaction.

Weaknesses (CWE)

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-913Improper Control of Dynamically-Managed Code ResourcesCWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')CWE-347Improper Verification of Cryptographic Signature

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
Ivantivers:unknown/*

References

advisory
advisory
advisory
advisory
advisory
advisory

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›