CVE-2026-8633 - Vulnerability Details

- IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins

Description

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request.

Published: 2026-05-26

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A specially crafted request to the Web Server Plug‑ins for IBM WebSphere Application Server and WebSphere Liberty can trigger remote code execution. The vulnerability is a form of code injection (CWE‑94) that allows an attacker to run arbitrary code with the privileges of the application server process. The weak input handling enables execution of malicious payloads, compromising confidentiality, integrity and availability of affected systems.

Affected Systems

IBM Web Server Plug‑ins for WebSphere Application Server (versions 8.5.0.0 through 8.5.5.29) and 9.0.0.0 through 9.0.5.27. The plug‑ins are used with both traditional WebSphere Application Server and Liberty editions, and the vulnerability exists in any deployment that employs these plug‑ins.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and no EPSS value is available, suggesting the likelihood of exploitation is currently unclear. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, as the flaw is triggered by a specially crafted HTTP request to the plug‑in component. An attacker with network access to the server can exploit the flaw without authentication, resulting in full compromise of the application server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty

affected

Version	Status	Constraints
`8.5, 9.0`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:ibm:websphere_application_server:::::-:::*
	cpe:2.3:a:ibm:websphere_application_server:::::liberty:::*
	cpe:2.3:a:ibm:websphere_application_server:::::-:::*
	cpe:2.3:a:ibm:websphere_application_server:::::liberty:::*

No data.

Vendor Product Confidence Versions

Ibm

Web Server Plug Ins For Websphere Application Server And Websphere Liberty

95%

Version	Status	Scheme	Platform
`8.5`	affected	generic	—
`9.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71342. Web Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty): For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves PH71342 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Web Server Plug-ins Fix Pack 9.0.5.28 or later (targeted availability 2Q2026). For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves PH71342 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Web Server Plug-ins Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

Download and apply IBM’s Web Server Plug‑ins Interim Fix that resolves APAR PH71342 from the IBM support page, ensuring the system is first updated to the minimum required fix‑pack level.
Apply Web Server Plug‑ins Fix Pack 9.0.5.28 or later for 9.x servers, or 8.5.5.30 or later for 8.5.x servers, once the interim fix is available.
Configure network or firewall rules to restrict external access to the Web Server Plug‑ins interface until the patches are applied, mitigating the attack surface while the fix is pending.

Generated by OpenCVE AI on May 26, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00478.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.ibm.com/support/pages/node/7274072

History

Wed, 27 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:ibm:websphere_application_server:8.5::::-::: cpe:2.3:a:ibm:websphere_application_server:8.5::::liberty::: cpe:2.3:a:ibm:websphere_application_server:9.0.0.0::::-::: cpe:2.3:a:ibm:websphere_application_server:9.0.0.0::::liberty:::	cpe:2.3:a:ibm:websphere_application_server:::::-:::* cpe:2.3:a:ibm:websphere_application_server:::::liberty:::*

Wed, 27 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ibm websphere Application Server
CPEs		cpe:2.3:a:ibm:websphere_application_server:8.5::::-::: cpe:2.3:a:ibm:websphere_application_server:8.5::::liberty::: cpe:2.3:a:ibm:websphere_application_server:9.0.0.0::::-::: cpe:2.3:a:ibm:websphere_application_server:9.0.0.0::::liberty:::
Vendors & Products		Ibm websphere Application Server

Wed, 27 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 26 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request.
Title		IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins
First Time appeared		Ibm Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
Weaknesses		CWE-94
CPEs		cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:::::::* cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:::::::*
Vendors & Products		Ibm Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
References		https://www.ibm.com/support/pages/node/7274072
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Ibm Web Server Plug Ins For Websphere Application Server And Websphere Liberty Websphere Application Server

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-26T17:19:55.470Z

Updated: 2026-05-27T11:55:40.403Z

Reserved: 2026-05-14T19:03:34.571Z

Link: CVE-2026-8633

Vulnrichment

Updated: 2026-05-27T11:55:36.625Z

NVD

Status : Analyzed

Published: 2026-05-26T18:16:56.513

Modified: 2026-05-27T18:12:04.373

Link: CVE-2026-8633

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T22:15:17Z

Weaknesses

CWE-94
Improper Control of Generation of Code ('Code Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object