Description
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server 9.0 and 8.5 contain a cross‑site scripting flaw in the administrative console’s integrated help system. The flaw permits an attacker who can invoke the console’s help functions to inject arbitrary HTML or JavaScript. The injected script can then run with the privileges of the authenticated console session, allowing the attacker to capture sensitive data, hijack administrator sessions, or perform further malicious actions within the affected servers.

Affected Systems

The vulnerability is present in IBM WebSphere Application Server versions 8.5.0.0 through 8.5.5.30 and 9.0.0.0 through 9.0.5.28. IBM recommends applying the interim fix or Fix Pack PH71756, or upgrading to Fix Pack 8.5.5.31 or later for 8.5, and Fix Pack 9.0.5.29 or later for 9.0.

Risk and Exploitability

The CVSS base score of 9.3 indicates a critical severity level. No EPSS score is available for this vulnerability, and it is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring the attacker to access the administrative console’s help interface; once the vulnerable console is accessed, the attacker can inject malicious code. The combination of a high severity score and the availability of a publicly documented bug makes the risk significant for any environment running the affected WebSphere Application Server versions.

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71756. Attention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation. For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71756 https://www.ibm.com/support/pages/node/7278563 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026) For V8.5.0.0 through 8.5.5.30: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71756 https://www.ibm.com/support/pages/node/7278563  and carefully follow the instructions for steps required after fix installation.  --OR-- · Apply Fix Pack 8.5.5.31 or later (targeted availability 3Q2026) and carefully follow the instructions in PH71756 for steps required after fixpack installation. .  Additional interim fixes may be available and linked off the interim fix download page.


OpenCVE Recommended Actions

  • Apply the IBM interim fix or Fix Pack PH71756 as instructed on IBM’s support page
  • Upgrade IBM WebSphere Application Server to Fix Pack 8.5.5.31 or later for 8.5, or to Fix Pack 9.0.5.29 or later for 9.0
  • Follow the additional post‑installation instructions linked in the IBM advisory to fully resolve the issue

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.
Title IBM WebSphere Application Server is affected by a cross-site scripting vulnerability
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}


Subscriptions

Ibm Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:47:31.481Z

Reserved: 2026-06-08T23:50:25.626Z

Link: CVE-2026-11708

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')