Description
IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Published: 2026-04-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that may expose credentials within a trusted session
Action: Patch
AI Analysis

Impact

IBM Content Navigator versions 3.0.15, 3.1.0, and 3.2.0 contain a cross‑site scripting flaw that lets an authenticated user embed arbitrary JavaScript into the web interface. This can alter the intended functionality and, because the code executes with the privileges of the logged‑in user, may lead to disclosure of credentials or other sensitive information. The flaw is catalogued as CWE‑79.

Affected Systems

The affected product is IBM Content Navigator. Vulnerable releases are 3.0.15, 3.1.0, and 3.2.0. No other version information is listed.

Risk and Exploitability

The CVSS score is 5.4, indicative of moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user with access to the application; the attack vector therefore is limited to authenticated session abuse and not to unauthenticated remote exploitation.

Generated by OpenCVE AI on April 8, 2026 at 21:29 UTC.

Remediation

Vendor Solution

Affected VersionsFixes3.0.15ICN 3.0.15 IF0093.1.0ICN 3.1.0 IF008 LA23.2.0ICN 3.2.0 IF004

OpenCVE Recommended Actions

  • Apply the IBM security fixes for each affected version – update IBM Content Navigator to the latest 3.0.15, 3.1.0, or 3.2.0 release, using the patch identifiers IF0093.1.0, IF008, and IF004 respectively.
  • Ensure that the updated version is in use across all instances of the application.
  • Verify that the applied update has disabled the vulnerable functionality by testing the web UI for correct rendering after the patch.

Generated by OpenCVE AI on April 8, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:content_navigator:3.0.15:-:*:*:*:*:*:*
cpe:2.3:a:ibm:content_navigator:3.1.0:-:*:*:*:*:*:*
cpe:2.3:a:ibm:content_navigator:3.2.0:-:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Thu, 02 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title IBM Content Navigator is affected by , a Cross-Site Scripting (XSS) vulnerability
First Time appeared Ibm
Ibm content Navigator
CPEs cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*
cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm content Navigator
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ibm Aix Content Navigator
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T13:49:12.514Z

Reserved: 2026-01-20T18:45:11.903Z

Link: CVE-2026-1243

cve-icon Vulnrichment

Updated: 2026-04-02T13:49:03.681Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T01:16:01.317

Modified: 2026-04-07T16:20:48.397

Link: CVE-2026-1243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:23Z

Weaknesses