EXECUTIVE SUMMARY:
Ivanti has released security updates for two medium-severity vulnerabilities affecting Ivanti Neurons for ITSM, an on-premise IT service management platform. The flaws could allow authenticated remote attackers to maintain unauthorized system access or steal limited session data from other users. Ivanti stated there is no evidence of active exploitation at the time of disclosure. Cloud-hosted environments were reportedly patched automatically, while on-premise customers must manually upgrade. CVE-2026-4913 with a CVSS score of 5.7 – It is an Improper path protection vulnerability that may allow an authenticated attacker to retain access even after their account has been disabled by an administrator. This creates risk during employee offboarding or access revocation scenarios. CVE-2026-4914 with a CVSS score of 5.4 –It is an Stored cross-site scripting (XSS) vulnerability that enables malicious script injection into the application, potentially allowing theft of session tokens, credentials, or sensitive user data when other users access the affected content.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Ivanti has released security updates for two medium-severity vulnerabilities affecting Ivanti Neurons for ITSM, an on-premise IT service management platform. The flaws could allow authenticated remote attackers to maintain unauthorized system access or steal limited session data from other users. Ivanti stated there is no evidence of active exploitation at the time of disclosure. Cloud-hosted environments were reportedly patched automatically, while on-premise customers must manually upgrade. CVE-2026-4913 with a CVSS score of 5.7 – It is an Improper path protection vulnerability that may allow an authenticated attacker to retain access even after their account has been disabled by an administrator. This creates risk during employee offboarding or access revocation scenarios. CVE-2026-4914 with a CVSS score of 5.4 –It is an Stored cross-site scripting (XSS) vulnerability that enables malicious script injection into the application, potentially allowing theft of session tokens, credentials, or sensitive user data when other users access the affected content.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Ivanti Neurons for ITSM to below version: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/ivanti-neurons-itsm-vulnerabilities/