ServiceNow AI Platform XSS: Arbitrary Code via Reflected Links
CVE-2025-11449 Published on October 10, 2025
Reflected Cross Site Scripting in ServiceNow AI Platform
ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link.
ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configuration. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-11449 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-11449
Want to know whenever a new CVE is published for Servicenow Ai Platform? stack.watch will email you.
Affected Versions
ServiceNow AI Platform:- Before Washington DC Patch 10 Hot Fix 7b is affected.
- Before Xanadu Patch 10 Hot Fix 1a is affected.
- Before Xanadu Patch 11 is affected.
- Before Yokohama Patch 7 Hot Fix 2a is affected.
- Before Yokohama Patch 8 is affected.
- Before Yokohama Patch 9 is affected.
- Before Zurich Patch 1 Hot Fix 1a is affected.
- Before Zurich Patch 2 is affected.
- Before Zurich Patch 3 is affected.
- Before Australia General Availability (GA) is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.