VYPR
Vendor

Ivanti

Products
44
CVEs
446
Across products
592
Status
Private

Products

44
View all 44 products →

Recent CVEs

446
View all 446 CVEs →
  • CVE-2024-7593CriKEVAug 13, 2024
    risk 0.86cvss 9.8epss 1.00

    Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

  • CVE-2026-1340CriKEVJan 29, 2026
    risk 0.84cvss 9.8epss 0.84

    A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

  • CVE-2026-10520CriKEVJun 9, 2026
    risk 0.77cvss 10.0epss 0.99

    An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

  • CVE-2016-4787CriMay 26, 2016
    risk 0.65cvss 10.0epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified directory via unknown vectors.

  • CVE-2026-10523CriJun 9, 2026
    risk 0.64cvss 9.9epss 0.47

    An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

  • CVE-2016-3147CriJan 23, 2017
    risk 0.64cvss 9.8epss 0.06

    Buffer overflow in the collector.exe listener of the Landesk Management Suite 10.0.0.271 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large packet.

  • CVE-2026-8043CriMay 12, 2026
    risk 0.62cvss 9.6epss 0.01

    External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

  • CVE-2026-6973HigKEVMay 7, 2026
    risk 0.59cvss 7.2epss 0.34

    An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

  • CVE-2026-5787HigMay 7, 2026
    risk 0.58cvss 8.9epss 0.01

    An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

  • CVE-2026-9614HigJun 1, 2026
    risk 0.57cvss 8.8epss 0.01

    An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.

  • CVE-2026-8992HigMay 22, 2026
    risk 0.57cvss 8.8epss 0.01

    An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.

  • CVE-2026-5786HigMay 7, 2026
    risk 0.57cvss 8.8epss 0.01

    An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

  • CVE-2017-11463HigDec 11, 2017
    risk 0.57cvss 8.8epss 0.02

    In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the…

  • CVE-2017-11455HigAug 29, 2017
    risk 0.57cvss 8.8epss 0.01

    diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to…

  • CVE-2016-4791HigMay 26, 2016
    risk 0.56cvss 8.6epss 0.02

    The administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote administrators to enumerate files, read arbitrary files, and conduct server side request forgery (SSRF) attacks via…

  • CVE-2023-38551HigMay 31, 2024
    risk 0.53cvss 8.2epss 0.01

    A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.

  • CVE-2026-8110HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

  • CVE-2026-7432HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

  • CVE-2018-8901HigJun 29, 2018
    risk 0.51cvss 7.8epss 0.01

    An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This…

  • CVE-2024-29205HigApr 25, 2024
    risk 0.49cvss 7.5epss 0.02

    An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions.