Vendor scorecard
Ivanti
Ivanti security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: ivanti, pulsesecure
Product families
3
Open in latest
257
Inferred — see methodology
Last disclosure
May 12, 2026
01
Product categories
3 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| Endpoint Manager / EPMMNetwork Management & Monitoringendpoint_manager, endpoint_manager_mobile | 41 | 116 | 12.7.0.0HIGH | ||
| Connect Secure / PulseSecure Remote Access / VPN · Zero-Trust / ZTNAconnect_secure, pulse_connect_secure | 21 | 140 | 2020-04-06HIGH | ||
| Policy SecureSecure Remote Access / VPN · Zero-Trust / ZTNApolicy_secure, pulse_policy_secure | 21 | 91 | 2020-04-06MED |
02
Recent CVEs
12 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-8111(opens NVD record) | High | 8.8 | SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution. | May 12, 2026 |
| CVE-2026-8110(opens NVD record) | High | 7.8 | Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges. | May 12, 2026 |
| CVE-2026-8109(opens NVD record) | Medium | 6.5 | An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials. | May 12, 2026 |
| CVE-2026-7821(opens NVD record) | High | 7.4 | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity. | May 7, 2026 |
| CVE-2026-6973(opens NVD record) | High | 7.2 | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | May 7, 2026 |
| CVE-2026-5788(opens NVD record) | High | 7.0 | An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods. | May 7, 2026 |
| CVE-2026-5787(opens NVD record) | High | 8.9 | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. | May 7, 2026 |
| CVE-2026-5786(opens NVD record) | High | 8.8 | An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access. | May 7, 2026 |
| CVE-2026-1603(opens NVD record) | High | 8.6 | An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. | Feb 10, 2026 |
| CVE-2026-1602(opens NVD record) | Medium | 6.5 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | Feb 10, 2026 |
| CVE-2026-1340(opens NVD record) | Critical | 9.8 | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | Jan 29, 2026 |
| CVE-2026-1281(opens NVD record) | Critical | 9.8 | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | Jan 29, 2026 |
63 CVEs · 3 product families