CVE-2026-8043

Critical

Published: 12 May 2026

Published

12 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score N/A

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8043 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Ivanti Xtraction (inferred from references). Its CVSS base score is 9.6 (Critical).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

NVD Description

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-73

Affected Products

Ivanti

Xtraction

inferred from references and description; NVD did not file a CPE for this CVE

References

https://hub.ivanti.com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043?language=en_US
3c1d8aa1-5a33-4ea4-8992-aadd6440af75