CVE-2025-11449 MEDIUM

CVE-2025-11449: Reflected Cross Site Scripting in ServiceNow AI Platform

Vendor Servicenow
Product ServiceNow AI Platform
Weakness CWE-79 · XSS
Published October 10, 2025
Last update October 10, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link.    ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configuration. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so.

Key dates

02Disclosure timeline

October 10, 2025 CVE published
October 10, 2025 Record updated