Description
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows certificate listings retrieved via a browser session to return a JSON payload while incorrectly specifying the response Content-Type as text/html. Because the content is delivered with an HTML MIME type, browsers may interpret the JSON data as executable script under certain conditions. This creates an opportunity for JavaScript injection, potentially leading to cross-site scripting (XSS).
Published: 2026-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) via certificate listings endpoint
Action: Immediate Patch
AI Analysis

Impact

A mis‑described JSON response from the certificate listings endpoint in IBM Verify Identity Access and IBM Security Verify Access can be rendered by browsers as executable JavaScript. The vulnerability allows an attacker to inject arbitrary script when a user visits the affected page, leading to XSS. This does not compromise server privileges but can steal session cookies, bypass authentication, or deface the web interface.

Affected Systems

IBM Verify Identity Access versions 11.0 through 11.0.2 and IBM Security Verify Access versions 10.0 through 10.0.9.1, including their container variants, are affected. The specific affected builds are 11.0.2 for Verify Identity Access and 10.0.9.1 for Security Verify Access.

Risk and Exploitability

The CVSS base score of 5.4 indicates a medium impact. The EPSS score is under 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not yet listed in the CISA KEV catalog. Despite these low exploitation metrics, the vulnerability can be exploited by a logged‑in or unauthenticated user who visits the certificate listings page, making it a client‑side XSS that is straightforward for a web browser to trigger.

Generated by OpenCVE AI on April 7, 2026 at 23:37 UTC.

Remediation

Vendor Solution

IBM encourages customers to update their systems promptly.   Appliance:  Affected Products and Versions Fix availability IBM Verify Identity Access 11.0 - 11.0.2 Download IBM Verify Identity Access v11.0.2 IF1 https://www.ibm.com/support/fixcentral/quickorder IBM Security Verify Access 10.0 - 10.0.9.1 Download IBM Security Verify Access v10.0.9.1 IF1 https://www.ibm.com/support/fixcentral/quickorder

OpenCVE Recommended Actions

  • Upgrade IBM Verify Identity Access to version 11.0.2 IF1 following the official IBM fix link.
  • Upgrade IBM Security Verify Access to version 10.0.9.1 IF1 following the official IBM fix link.
  • Restart affected services to apply the patches.
  • Confirm that the certificate listings endpoint now returns a Content‑Type of application/json instead of text/html.
  • For environments that cannot be patched immediately, consider blocking the certificate listings endpoint via web‑application firewall rules to prevent browsers from processing the response as executable code.

Generated by OpenCVE AI on April 7, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:security_verify_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows certificate listings retrieved via a browser session to return a JSON payload while incorrectly specifying the response Content-Type as text/html. Because the content is delivered with an HTML MIME type, browsers may interpret the JSON data as executable script under certain conditions. This creates an opportunity for JavaScript injection, potentially leading to cross-site scripting (XSS).
Title Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access
First Time appeared Ibm
Ibm security Verify Access
Ibm security Verify Access Container
Ibm verify Identity Access
Ibm verify Identity Access Container
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access:10.0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access:10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm security Verify Access
Ibm security Verify Access Container
Ibm verify Identity Access
Ibm verify Identity Access Container
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ibm Security Verify Access Security Verify Access Container Verify Identity Access Verify Identity Access Container
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T13:33:42.951Z

Reserved: 2026-03-17T20:40:47.401Z

Link: CVE-2026-4364

cve-icon Vulnrichment

Updated: 2026-04-02T13:30:05.812Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:02.620

Modified: 2026-04-07T16:34:49.050

Link: CVE-2026-4364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:57Z

Weaknesses