Description
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the administrative console help system of IBM WebSphere Application Server. The flaw allows an attacker to inject and execute arbitrary client‑side scripts in a user’s browser when viewing the help pages. If an attacker successfully exploits this weakness, they could steal session cookies, mimic legitimate users, or redirect users to malicious sites, thereby compromising confidentiality, integrity, or availability of the administrative interface. The weakness is identified as CWE‑79 and carries a CVSS score of 9.3.

Affected Systems

IBM WebSphere Application Server versions 8.5 and 9.0 are affected. For builds V9.0.0.0 through 9.0.5.28, the vulnerability applies until the interim fix is installed or a fix pack 9.0.5.29 or later is applied. For builds V8.5.0.0 through 8.5.5.30, the same applies until the interim fix is applied or a fix pack 8.5.5.31 or later is applied.

Risk and Exploitability

The issue is remotely exploitable by accessing the administrative console’s help pages, so a publicly reachable WebSphere instance is a candidate target. The CVSS score of 9.3 indicates high severity, and while no EPSS score is provided, the lack of a KEV listing suggests no known widespread exploitation at the time of this report. The recommended remediation involves applying IBM’s interim fix or appropriate fix pack and then following the detailed post‑installation instructions. Failure to patch leaves the system vulnerable to script injection, which can lead to credential theft or further attacks within the corporate network.

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71756. Attention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation. For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71756 https://www.ibm.com/support/pages/node/7278563 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026) For V8.5.0.0 through 8.5.5.30: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71756 https://www.ibm.com/support/pages/node/7278563  and carefully follow the instructions for steps required after fix installation.  --OR-- · Apply Fix Pack 8.5.5.31 or later (targeted availability 3Q2026) and carefully follow the instructions in PH71756 for steps required after fixpack installation. .  Additional interim fixes may be available and linked off the interim fix download page.


OpenCVE Recommended Actions

  • Install the latest interim fix or fix pack that contains APAR PH71756 and follow IBM’s installation instructions.
  • If the interim fix is not yet available for your release, first upgrade to the minimum required fix pack level as specified by IBM before applying the interim fix.
  • After applying the fix, carefully follow all post‑installation steps referenced in the IBM advisory to fully remediate the vulnerability.

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.
Title IBM WebSphere Application Server is affected by a cross-site scripting vulnerability
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}


Subscriptions

Ibm Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:45:37.814Z

Reserved: 2026-06-09T00:06:18.153Z

Link: CVE-2026-11712

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')