Description
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP header injection enabling XSS, cache poisoning, and session hijacking
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from improper validation of the HOST header in IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6. An attacker who can send a crafted HTTP request may inject arbitrary header values, allowing cross‑site scripting, cache poisoning, or session hijacking. The impact is that an attacker could compromise the confidentiality or integrity of user sessions or inject malicious content into web responses.

Affected Systems

IBM InfoSphere Information Server versions 11.7.0.0 to 11.7.1.6 are affected. Only these product builds expose the HTTP header validation flaw; earlier and later releases are not known to be vulnerable.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as moderate severity. EPSS indicates less than 1% probability of exploitation, and the issue is not listed in the CISA KEV catalog. The exploitation requires the ability to send HTTP requests with custom Host headers to the vulnerable server, which is feasible for any actor with network reach to the target. While no public exploits are documented, the potential for XSS or session hijack makes it prudent to treat the vulnerability as a priority risk if the server is exposed.

Generated by OpenCVE AI on March 26, 2026 at 19:21 UTC.

Remediation

Vendor Solution

Remediation/Fixes Product Version(s) APAR Remediation IBM InfoSphere Information Server 11.7.0.0 to 11.7.1.6 DT458455 --Apply IBM InfoSphere Information Server version 11.7.1.0 --Apply IBM InfoSphere Information Server version 11.7.1.6 --Apply IBM InfoSphere Information Server 11.7.1.6 Service pack 2

OpenCVE Recommended Actions

  • Apply IBM InfoSphere Information Server 11.7.1.0 update
  • Apply IBM InfoSphere Information Server 11.7.1.6 update
  • Apply IBM InfoSphere Information Server 11.7.1.6 Service Pack 2
  • Apply APAR DT458455
  • Verify that HOST header validation is enforced and that any custom headers are properly sanitized
  • Monitor web application logs for anomalous Host header values

Generated by OpenCVE AI on March 26, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Title IBM InfoSphere Information Server is vulnerable to HTTP header injection
First Time appeared Ibm
Ibm infosphere Information Server
Weaknesses CWE-644
CPEs cpe:2.3:a:ibm:infosphere_information_server:11.7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:infosphere_information_server:11.7.1.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm infosphere Information Server
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Aix Infosphere Information Server
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T15:24:10.539Z

Reserved: 2025-12-16T22:21:26.483Z

Link: CVE-2025-14807

cve-icon Vulnrichment

Updated: 2026-03-26T15:24:06.577Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:23.607

Modified: 2026-03-26T18:23:37.247

Link: CVE-2025-14807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:32Z

Weaknesses