SECURITYWEEK reports that Ivanti Neurons for ITSM has patched two medium-severity vulnerabilities affecting both on‑premises and cloud deployments.
The flaws are CVE-2026-4913 (CVSS 5.7) described as improper protection of an alternate path, which according to Ivanti could allow “a remote authenticated attacker to retain access when their account has been disabled,” and CVE-2026-4914 (CVSS 5.4), a stored XSS issue that can be abused remotely to obtain limited information from other user sessions, with exploitation requiring authentication and user interaction.
Both bugs were fixed in Ivanti Neurons for ITSM version 2025.4, and cloud environments were updated with no action required for customers using the cloud solution because the fix was applied on 12 December 2025. Ivanti states it is not aware of either vulnerability being exploited in the wild. The article also notes Ivanti updated its advisory on related CVEs, and emphasises the patches cover both on‑prem and cloud deployments. according to Ivanti.