CVE-2025-36148 - Vulnerability Details

Description

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Published: 2026-05-26

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms versions 3.2.4.0 through 3.2.4.15 contain a stored cross‑site scripting flaw (CWE‑79). An unauthenticated attacker can inject arbitrary JavaScript into the Web UI, allowing the attacker to intercept or manipulate user sessions and potentially exfiltrate credentials stored within the trusted session. This directly compromises the confidentiality of user credentials and can enable session hijacking. The flaw does not enable arbitrary code execution but can lead to credential theft and unauthorized actions performed under the victim’s identity.

Affected Systems

Affected products are IBM Financial Transaction Manager for SWIFT Services for Multiplatforms. Vulnerable releases include all builds from 3.2.4.0 up to 3.2.4.15 inclusive. The vulnerability is limited to the Web UI component of these releases and does not affect other modules. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The CVSS score of 5.4 places the issue in the moderate impact range. EPSS data is not available, and the vulnerability has not been listed in the CISA KEV catalog. The attack vector inferred from the description is unauthenticated access to the Web UI, which suggests that the vulnerability can be exploited without privileged credentials. While exploit probability cannot be quantified, the product’s recommendation to upgrade immediately signals the potential for malicious use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Financial Transaction Manager for SWIFT Services for Multiplatforms

affected

Version	Status	Constraints
`3.2.4.0`	affected	≤ 3.2.4.15

No data.

No data available yet.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to Fix Pack 16. Product(s)Version(s)Remediation/Fix/InstructionsIBM Financial Transaction Manager for SWIFT Services for Multiplatforms3.2.4.0-3.2.4.15Install Fix Pack 16 of IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 https://www.ibm.com/support/fixcentral/swg/selectFixes

OpenCVE Recommended Actions

Apply IBM Fix Pack 16 for Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 to all affected installations
After upgrading, test the Web UI by attempting to submit a benign script payload; the page should reject or sanitize the input and no JavaScript should execute
Until the patch is applied, restrict access to the Web UI by enforcing authentication or limiting role‑based permissions to users who legitimately require it

Generated by OpenCVE AI on May 26, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.ibm.com/support/pages/node/7272275

History

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title		IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting.
First Time appeared		Ibm Ibm financial Transaction Manager For Swift Services For Multiplatforms
Weaknesses		CWE-79
CPEs		cpe:2.3:a:ibm:financial_transaction_manager_for_swift_services_for_multiplatforms:3.2.4.0:::::::* cpe:2.3:a:ibm:financial_transaction_manager_for_swift_services_for_multiplatforms:3.2.4.15:::::::*
Vendors & Products		Ibm Ibm financial Transaction Manager For Swift Services For Multiplatforms
References		https://www.ibm.com/support/pages/node/7272275
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Ibm Financial Transaction Manager For Swift Services For Multiplatforms

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-26T15:51:52.671Z

Updated: 2026-05-26T15:51:52.671Z

Reserved: 2025-04-15T21:16:19.941Z

Link: CVE-2025-36148

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:29.013

Modified: 2026-05-26T19:06:14.330

Link: CVE-2025-36148

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T18:30:12Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object