CVE-2026-8043

Critical

Published: 12 May 2026

Published

12 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0009 25.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8043 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Ivanti Xtraction (inferred from references). Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal via external filename control directly enables remote file read (T1005) on a public-facing web app (T1190); HTML write supports client-side abuse but maps less precisely.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-73

Affected Products

Ivanti

Xtraction

inferred from references and description; NVD did not file a CPE for this CVE

References

https://hub.ivanti.com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043?language=en_US
3c1d8aa1-5a33-4ea4-8992-aadd6440af75