BaseFortify

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: ivanti

Description

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-12

Last Modified

2026-05-12

Generated

2026-06-30

EPSS Evaluated

2026-06-28

NVD

CVE-2026-8111

Affected Vendors & Products

Vendor	Product	Version / Range
ivanti	endpoint_manager	to 2022 (inc)
ivanti	endpoint_manager	2024

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions have not been generated yet.

Hi! I’m here to help you understand CVE-2026-8111. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart