Description
IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
Published: 2026-05-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross‑site scripting (XSS); a remote attacker can inject arbitrary JavaScript into the web user interface, potentially altering functionality and disclosing credentials within a trusted session.

Affected Systems

Vendors IBM Cognos Analytics and IBM Cognos Transformer are affected when running versions 11.2.0 through 11.2.4 FP6, 11.2.4 Fix Pack 7, 12.0.0 through 12.0.4 FP1, 12.0.4 Fix Pack 2, 12.1.0 through 12.1.1 IF1, and 12.1.2 for Cognos Analytics, and corresponding versions for Cognos Transformer.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity and the EPSS score is not available, meaning the likelihood of exploitation is unknown at this time; the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is via the web user interface accessible to any user with a valid session, enabling an attacker to inject malicious scripts that can steal credentials or modify the interface.

Generated by OpenCVE AI on May 27, 2026 at 15:56 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to latest versionsProduct(s)Version(s) number and/or range Remediation/Fix/InstructionsIBM Cognos Analytics11.2.0 - 11.2.4 FP6IBM Cognos Analytics 11.2.4 Fix Pack 7IBM Cognos Analytics12.0.0 - 12.0.4 FP1IBM Cognos Analytics 12.0.4 Fix Pack 2IBM Cognos Analytics12.1.0 - 12.1.1 IF1IBM Cognos Analytics 12.1.2

OpenCVE Recommended Actions

  • Upgrade IBM Cognos Analytics to at least 11.2.4 Fix Pack 7, 12.0.4 Fix Pack 2, or 12.1.2 as applicable
  • Upgrade IBM Cognos Transformer to the corresponding latest fix pack for the affected version
  • Deploy a web application firewall or implement a restrictive Content Security Policy to block or mitigate injected scripts on the user interface

Generated by OpenCVE AI on May 27, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
Title IBM Cognos Analytics is affected by multiple security vulnerabilities
First Time appeared Ibm
Ibm cognos Analytics
Ibm cognos Transformer
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm cognos Analytics
Ibm cognos Transformer
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ibm Cognos Analytics Cognos Transformer
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T14:31:40.895Z

Reserved: 2025-04-15T09:48:14.783Z

Link: CVE-2025-3633

cve-icon Vulnrichment

Updated: 2026-05-27T14:28:02.857Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:42.233

Modified: 2026-05-27T14:53:51.833

Link: CVE-2025-3633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:00:08Z

Weaknesses