Description
IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.
Published: 2026-06-30
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in IBM WebSphere Application Server allows a remote attacker to read files accessed by the administrative console’s integrated help system. The vulnerability is a classic example of CWE‑22, where an attacker can construct URLs that reference directories outside the intended file space. The resulting information disclosure can expose configuration data, log files, or other sensitive artifacts that the web application server processes, potentially aiding further compromise.

Affected Systems

The affected products are IBM WebSphere Application Server versions 8.5.0 through 8.5.5.30 and 9.0.0 through 9.0.5.28. IBM recommends applying the interim fix or an appropriate fix pack (8.5.5.31 or later, 9.0.5.29 or later) to eliminate the path traversal issue.

Risk and Exploitability

The vulnerability receives a CVSS score of 4.3, indicating moderate severity. EPSS data is unavailable, and it is not listed in the CISA KEV catalog, suggesting no currently known large‑scale exploits. The attack vector is remote, accessed via the administrative console’s integrated help system, meaning an attacker only needs network reach to the console to exploit the flaw and read restricted files.

Generated by OpenCVE AI on June 30, 2026 at 22:29 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71756. Attention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation. For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71756 https://www.ibm.com/support/pages/node/7278563 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026) For V8.5.0.0 through 8.5.5.30: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71756 https://www.ibm.com/support/pages/node/7278563  and carefully follow the instructions for steps required after fix installation.  --OR-- · Apply Fix Pack 8.5.5.31 or later (targeted availability 3Q2026) and carefully follow the instructions in PH71756 for steps required after fixpack installation. .  Additional interim fixes may be available and linked off the interim fix download page.


OpenCVE Recommended Actions

  • Apply the IBM interim fix or the relevant fix pack that contains the remedy for APAR PH71756 for your WebSphere version.
  • After installing the fix, carefully read and follow the additional post‑installation instructions linked in the IBM update notes to complete the remediation.
  • Restrict or disable direct network access to the administrative console or integrated help system, or configure firewall rules to limit exposure of the vulnerable functionality.

Generated by OpenCVE AI on June 30, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.
Title IBM WebSphere Application Server is affected by a Path Traversal vulnerability
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-22
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Ibm Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:50:22.059Z

Reserved: 2026-06-08T14:16:44.778Z

Link: CVE-2026-11595

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')