CVE-2025-10573 CRITICAL

CVE-2025-10573

Weakness CWE-79 · XSS

Published December 9, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

9.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.

Key dates

02Disclosure timeline

December 9, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10573

Related vulnerabilities

04Related CVE

CVE-2021-3811 Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte CVE-2024-2039 Stackable – Page Builder Gutenberg Blocks <= 3.12.11 - Authenticated(Contributor+) Stored Cross-Site Scripting via Posts Block CVE-2024-45116 Adobe Commerce | Cross-site Scripting (XSS) (CWE-79) CVE-2026-23794 Apache Syncope: Reflected XSS on Enduser Login CVE-2024-50472 WordPress Amilia Store plugin <= 2.9.8 - Stored Cross Site Scripting (XSS) vulnerability