Description
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Published: 2026-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting and Session Hijacking
Action: Patch Now
AI Analysis

Impact

IBM Aspera Shares versions 1.9.9 through 1.11.0 contain an HTTP header injection flaw caused by improper validation of the HOST header. The injected header content is reflected in HTTP responses, enabling attackers to inject malicious scripts, poison caches, or hijack user sessions. This weakness is an example of CWE‑644 – Unvalidated Input, and it can compromise the confidentiality, integrity, and availability of the application by exposing or altering user data and impersonating legitimate users.

Affected Systems

The affected product is IBM Aspera Shares running on Windows and Linux. Vulnerable releases include 1.9.9, 1.10.x, and 1.11.0, as identified by the CPE entries. IBM has addressed the flaw in release 1.11.1, which can be downloaded from IBM Fix Central for the respective operating systems.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1 percent suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers only need to send a crafted HTTP request containing a malicious HOST header to the target server; no special privileges are required. Successful exploitation could enable cross‑site scripting, cache poisoning, or session hijacking to compromise user accounts and data.

Generated by OpenCVE AI on April 3, 2026 at 23:53 UTC.

Remediation

Vendor Solution

Product(s)Fixing VRMPlatformLink to FixIBM Aspera Shares1.11.1 Windows click here https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Aspera Shares1.11.1 Linux click here https://www.ibm.com/support/fixcentral/swg/selectFixes

OpenCVE Recommended Actions

  • Update IBM Aspera Shares to version 1.11.1 using the Windows Fix Central link (https://www.ibm.com/support/fixcentral/swg/selectFixes)
  • Update IBM Aspera Shares to version 1.11.1 using the Linux Fix Central link (https://www.ibm.com/support/fixcentral/swg/selectFixes)

Generated by OpenCVE AI on April 3, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Title Multiple vulnerabilities have been addressed in IBM Aspera Shares
First Time appeared Ibm
Ibm aspera Shares
Weaknesses CWE-644
CPEs cpe:2.3:a:ibm:aspera_shares:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_shares:1.9.9:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Shares
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Aspera Shares
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T18:10:25.437Z

Reserved: 2025-12-02T18:42:37.817Z

Link: CVE-2025-66485

cve-icon Vulnrichment

Updated: 2026-04-02T18:10:21.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T23:17:02.250

Modified: 2026-04-03T19:56:11.950

Link: CVE-2025-66485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:23Z

Weaknesses