Servicenow Servicenow

  1. Vendors
  2. Servicenow

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Servicenow product.

RSS Feeds for Servicenow security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Servicenow products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Servicenow Sorted by Most Security Vulnerabilities since 2018

Servicenow17 vulnerabilities

Servicenow It Service Management2 vulnerabilities

Servicenow Ai Platform2 vulnerabilities

Known Exploited Servicenow Vulnerabilities

The following Servicenow vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
ServiceNow Incomplete List of Disallowed Inputs Vulnerability ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
CVE-2024-5217 Exploit Probability: 94.1% 		July 29, 2024
ServiceNow Improper Input Validation Vulnerability ServiceNow Utah, Vancouver, and Washington DC Now releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.
CVE-2024-4879 Exploit Probability: 94.3% 		July 29, 2024

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 2 vulnerabilities in Servicenow. Last year, in 2025 Servicenow had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Servicenow in 2026 could surpass last years number.




Year Vulnerabilities Average Score
2026 2 0.00
2025 2 0.00
2024 5 8.28
2023 7 5.96
2022 3 5.83
2021 0 0.00
2020 1 0.00
2019 0 0.00
2018 2 5.40

It may take a day or so for new Servicenow vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Servicenow Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-0542 Feb 25, 2026
ServiceNow: RCE in AI Platform Sandbox ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.    ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers and partners. Further, the vulnerability is addressed in the listed patches and hot fixes. While we are not currently aware of exploitation against customer instances, we recommend customers promptly apply appropriate updates or upgrade if they have not already done so.
Servicenow
CVE-2025-12420 Jan 12, 2026
Unauthenticated User Impersonation via ServiceNow AI Platform (CVE-2025-12420) A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to  hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
CVE-2025-11449 Oct 10, 2025
ServiceNow AI Platform XSS: Arbitrary Code via Reflected Links ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link.    ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configuration. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so.
Servicenow Ai Platform
CVE-2025-11450 Oct 10, 2025
ServiceNow AI Platform Reflected XSS Enables Browser Code Exec ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link. ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so.
Servicenow Ai Platform
CVE-2024-8924 Oct 29, 2024
ServiceNow Now Platform Blind SQL Injection (CVE-2024-8924) ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.
Servicenow
CVE-2024-8923 Oct 29, 2024
ServiceNow Now Platform Unauth RCE via Input Validation CVE-2024-8923 ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.
Servicenow
CVE-2024-22114 Aug 12, 2024
ServiceNow: Unprivileged Host Stats Disclosure via SysInfo Widget User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.
Servicenow
CVE-2024-4879 Jul 10, 2024
ServiceNow Now Platform RCE via Input Validation Flaw ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Servicenow
CVE-2024-5217 Jul 10, 2024
ServiceNow NOW Platform RCE via Improper Input Validation (CVE-2024-5217) ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Servicenow
CVE-2023-1298 Jul 06, 2023
ServiceNow Polaris Layout Authenticated XSS via Reflected Context ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris Layout. This vulnerability would enable an authenticated user to inject arbitrary scripts.
Servicenow
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.