Description
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server.
Published: 2026-06-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server and its Liberty profile contain a denial of service flaw in the WebSphere WebServer Plug‑in component. When an attacker supplies crafted requests to the web server, the plug‑in can become unresponsive, causing the WebSphere WebServer and associated services to crash or become unavailable. This results in interruption of services for users on the affected system.

Affected Systems

IBM i releases 7.6, 7.5, 7.4, and 7.3, along with IBM WebSphere Application Server and its Liberty profile are impacted. The IBM i Platform Fix Technology releases that address this vulnerability are SJ10122 (for 7.6), SJ10121 (for 7.5), SJ10120 (for 7.4), and SJ10119 (for 7.3).

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity denial of service vulnerability. EPSS score is less than 1%, and the issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to send crafted HTTP requests to the WebSphere WebServer Plug‑in component, which typically operates over the network; no specific privilege level is confirmed by the supplied information.

Generated by OpenCVE AI on June 24, 2026 at 19:12 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71376.   Web Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty): For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves  PH71376 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves  PH71376 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).


OpenCVE Recommended Actions

  • Apply the IBM i Platform Fix Technology (PTF) matching your release, for example SJ10122 for 7.6, SJ10121 for 7.5, SJ10120 for 7.4, or SJ10119 for 7.3, as published by IBM.
  • If running an unsupported or older release, upgrade to the latest supported IBM i version that includes the WebSphere WebServer Plug‑in fix.
  • As a temporary countermeasure, block external access to the WebSphere WebServer Plug‑in component or disable the plug‑in entirely to prevent exploitation.

Generated by OpenCVE AI on June 24, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Title Websphere Application Server is Affected By a Denial of Service in IBM WebSphere Application Server Liberty Websphere Application Server is Affected By a Denial of Service
First Time appeared Ibm websphere Application Server
CPEs cpe:2.3:a:ibm:i:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm websphere Application Server
References

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server. IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server.
Title IBM i is Affected By a Denial of Service in IBM WebSphere Application Server Liberty Websphere Application Server is Affected By a Denial of Service in IBM WebSphere Application Server Liberty

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server.
Title IBM i is Affected By a Denial of Service in IBM WebSphere Application Server Liberty
First Time appeared Ibm
Ibm i
Weaknesses CWE-476
CPEs cpe:2.3:a:ibm:i:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm i
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Ibm I Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-07-09T19:54:28.890Z

Reserved: 2026-06-04T12:38:07.335Z

Link: CVE-2026-10852

cve-icon Vulnrichment

Updated: 2026-06-23T14:51:36.316Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses