Description
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in.
Published: 2026-06-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WebSphere Web Server Plug‑in component is vulnerable to remote code execution and denial of service when an attacker impersonates the application server and sends crafted responses to the plug‑in. This flaw allows the attacker to run arbitrary code on the IBM i system and disrupt the availability of the affected services.

Affected Systems

IBM i releases 7.3, 7.4, 7.5 and 7.6, together with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, are affected. The official fix is distributed as PTF 7.6SJ10122 for release 7.6, PTF 7.5SJ10121 for release 7.5, SJ10120 for release 7.4 and PTF 7.3SJ10119 for release 7.3. Users of unsupported or older versions are strongly advised to upgrade to a supported, patched version of the product.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of 0.0026 (0.26%) signals a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, implying no documented exploits to date. The attack is believed to be remotely attainable through network access to the WebSphere Web Server Plug‑in, where an attacker can impersonate the application server. Because the flaw permits arbitrary code execution, the risk to confidentiality, integrity and availability remains considerable if exploited.

Generated by OpenCVE AI on June 24, 2026 at 21:17 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71376.   Web Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty): For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves  PH71376 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves  PH71376 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).


OpenCVE Recommended Actions

  • Apply the IBM i PTF patches 7.6SJ10122, 7.5SJ10121, 7.4SJ10120 or 7.3SJ10119, whichever corresponds to the installed release.
  • Restrict inbound network access to the WebSphere Web Server Plug‑in component using firewalls or network segmentation so that only trusted hosts can communicate with it.
  • Monitor for anomalous network traffic and system behavior that might indicate exploitation attempts, and review system logs regularly for signs of sabotage or unauthorized activity.

Generated by OpenCVE AI on June 24, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Title WebSphere Application Server is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ] WebSphere Application Server Remote Code Execution
First Time appeared Ibm websphere Application Server
CPEs cpe:2.3:a:ibm:i:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm websphere Application Server
References

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in. IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in.
Title IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ] WebSphere Application Server is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in.
Title IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]
First Time appeared Ibm
Ibm i
Weaknesses CWE-94
CPEs cpe:2.3:a:ibm:i:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm i
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Ibm I Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-07-09T19:54:33.016Z

Reserved: 2026-05-18T18:06:05.131Z

Link: CVE-2026-8858

cve-icon Vulnrichment

Updated: 2026-06-23T18:48:08.374Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')