Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

CVE-2026-8111 high · 8.8

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

CVE-2026-7432 high · 7.8

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

CVE-2026-8043 critical · 9.6

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web dir

CVE-2026-8109 medium · 6.5

An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

CVE-2026-8110 high · 7.8

Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

CVE-2026-7431 medium · 4.4

An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via w