Description
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Published: 2026-04-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Browser code execution via HTML injection
Action: Apply Patch
AI Analysis

Impact

IBM Aspera Shares versions 1.9.9 through 1.11.0 allow a remote attacker to inject malicious HTML content that is rendered by a victim’s web browser. The injected code runs within the security context of the Aspera Shares site, potentially enabling session hijacking, phishing, or data exfiltration. This vulnerability is identified as a stored HTML injection flaw (CWE-80) and could be used to compromise confidentiality or integrity of user data.

Affected Systems

IBM Aspera Shares is the affected product, with vulnerable releases including 1.9.9, 1.10, and 1.11.0. All customers running these versions are at risk until they upgrade to the patched build 1.11.1.

Risk and Exploitability

CVSS base score of 4.8 indicates medium‑low severity, and EPSS below 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker would need access to the web interface of the application to inject HTML, after which the victim’s browser execution would provide the attacker the payload while operating under the website’s security context.

Generated by OpenCVE AI on April 3, 2026 at 22:29 UTC.

Remediation

Vendor Solution

Product(s)Fixing VRMPlatformLink to FixIBM Aspera Shares1.11.1 Windows click here https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Aspera Shares1.11.1 Linux click here https://www.ibm.com/support/fixcentral/swg/selectFixes

OpenCVE Recommended Actions

  • Download and install the IBM Aspera Shares 1.11.1 update from IBM Fix Central for both Windows and Linux platforms.
  • Restart the Aspera Shares service and verify the application version has been updated to 1.11.1.
  • After patching, conduct a quick test that attempts to inject HTML to confirm the issue is resolved; optionally review logs for any remaining injection attempts.

Generated by OpenCVE AI on April 3, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Title Multiple vulnerabilities have been addressed in IBM Aspera Shares
First Time appeared Ibm
Ibm aspera Shares
Weaknesses CWE-80
CPEs cpe:2.3:a:ibm:aspera_shares:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_shares:1.9.9:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Shares
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ibm Aspera Shares
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-03T13:56:04.348Z

Reserved: 2025-12-02T18:42:37.817Z

Link: CVE-2025-66486

cve-icon Vulnrichment

Updated: 2026-04-03T13:49:19.563Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T23:17:02.430

Modified: 2026-04-03T19:57:14.243

Link: CVE-2025-66486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:22Z

Weaknesses