CVE-2026-8043
📛 CVE Title
CVE-2026-8043
Description
External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- CRITICAL
- CVSS score
- 9.6 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N- Effective score
- 9.6 / 10 CRITICAL source: CNA overview
- CWE(s)
-
CWE-73 - Reserved
- 2026-05-06
- Published
- 2026-05-12 16:11 UTC
- Last updated
- 2026-05-12 17:44 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/8xxx/CVE-2026-8043.json
- Linked Threat
- CVE-2026-8043 — CVE-2026-8043
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2026-05-12 15:16:17 UTC
- NVD last modified
- 2026-05-13 20:34:20 UTC
- NVD CVSS v3.1
- 9.6 / 10 CRITICAL source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N- Exploitability subscore
- 3.1 / 10
- Impact subscore
- 5.8 / 10
- EPSS score
- 0.0012 (probability of exploitation in next 30 days)
- EPSS percentile
- 30.08% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24
NVD / KEV / EPSS data refreshed 2026-05-25 06:24 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2026-29487 - Assigner
- ivanti
- Published
- May 12, 2026, 2:11:30 PM
- Updated
- May 12, 2026, 3:44:12 PM
- EUVD base score (CVSS 3.1)
-
9.6 / 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N - EUVD-reported EPSS
- 0.1200
- Vendors
- Ivanti
- Products
-
Xtraction (patch: 2026.2)
ENISA description: External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| ivanti | Xtraction |
2026.2 (unaffected)
|
— |
Affected products — CPE 2.3 (1) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:ivanti:xtraction:*:*:*:*:*:*:*:*
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:app.opencve.io
Remediation No vendor fix or workaround currently provided. OpenCVE Recommended Actions Upgrade Ivanti Xtraction to version 2026.2 or later to eliminate the uncontrolled file name issue. If an upgrade cannot be performed immediately, limit web access to the Xtraction directory and restrict authenticated users to those who truly need it.
2026-05-22 17:37 UTC -
web:blog.qualys.com
Microsoft has rolled out its March 2026 Patch Tuesday updates, delivering a fresh batch of security fixes designed to keep Windows environments protected from emerging threats.
2026-05-22 17:37 UTC -
web:cybersecuritynews.com
Microsoft released its March 2026 Patch Tuesday security update on March 10, 2026 , addressing 78 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET. The update includes one actively exploited zero-day vulnerability and multiple Critical-rated flaws demanding immediate attention from security teams. The most urgent fix this month is CVE - 2026 -21262, the sole zero-day ...
2026-05-22 17:37 UTC -
web:nvd.nist.gov
An official website of the United States government Here's how you know
2026-05-22 17:37 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-22 17:37 UTC -
web:vulmon.com
Vulnerability details of CVE-2026-8043 CVE-2026-8043 - External File Name Control Vulnerability in Ivanti Xtraction Before 2026.2
2026-05-22 17:37 UTC -
web:www.aha.org
View Alert On May 12, 2026 , Ivanti patched a critical vulnerability, CVE-2026-8043 (CVSS score 9.6), in its Xtraction platform. The flaw allows authenticated remote attackers to bypass directory restrictions, enabling them to read sensitive internal files or write malicious HTML files to the web directory.
2026-05-22 17:37 UTC -
web:www.bleepingcomputer.com
Today is Microsoft's March 2026 Patch Tuesday with security updates for 79 flaws, including 2 publicly disclosed zero-day vulnerabilities.
2026-05-22 17:37 UTC -
web:www.pcworld.com
This month's Patch Tuesday brings over 80 fixes for various security vulnerabilities. Fortunately, none are actively being exploited in the wild yet.
2026-05-22 17:37 UTC -
web:www.thehackerwire.com
CVE-2026-8043 is a Critical severity vulnerability (CVSS 9.6). External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive...
2026-05-22 17:37 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
MITRE references (1) cveawg.mitre.org
Pulled from MITRE's CVE Services API by the 🛰 Backfill from MITRE button.
Web references (5)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- https://nvd.nist.gov/vuln/detail/CVE-2026-8043 tenable:nvd.nist.gov
- https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html tenable:thehackernews.com
- https://www.cve.org/CVERecord?id=CVE-2026-8043 tenable:www.cve.org
- https://www.first.org/epss/ tenable:www.first.org
- https://www.securityweek.com/fortinet-ivanti-patch-critical-vulnerabilities/ tenable:www.securityweek.com
NVD-tagged references (1)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://hub.ivanti.com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043?language=en_US 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 Vendor Advisory
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-8043.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T15:44:03.881162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T15:44:12.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Xtraction",
"vendor": "ivanti",
"versions": [
{
"status": "unaffected",
"version": "2026.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks."
}
],
"value": "External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External control of file name or path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T14:11:30.204Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://hub.ivanti.com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2026-8043",
"datePublished": "2026-05-12T14:11:30.204Z",
"dateReserved": "2026-05-06T16:56:11.386Z",
"dateUpdated": "2026-05-12T15:44:12.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}