Description
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.
Published: 2026-06-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to send crafted responses to the WebSphere WebServer Plug‑in when Intelligent Management is enabled. By impersonating backend servers the attacker can cause the plug‑in to execute arbitrary code or trigger a denial of service. This results in remote code execution and availability loss on the IBM i platform running IBM WebSphere Application Server or Liberty. The weakness corresponds to code injection (CWE‑94) and could compromise confidentiality, integrity and availability of affected systems.

Affected Systems

IBM i 7.6, 7.5, 7.4, and 7.3, together with IBM WebSphere Application Server and the Liberty profile that use the Intelligent Management WebServer Plug‑in component, are impacted. The applicable PTFs (SJ10122, SJ10121, SJ10120, SJ10119) target these specific platform releases. Any installation of these versions without the corresponding fix is considered vulnerable. Unsupported versions that still use the plug‑in should also be upgraded to a supported release.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of < 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation in the wild yet. Nonetheless, the attack vector requires only a remote attacker who can communicate with the vulnerable plug‑in to send forged responses. Because the vulnerability can lead to remote code execution, the risk remains high for environments that expose the plug‑in to external networks.

Generated by OpenCVE AI on June 24, 2026 at 20:22 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71376.   Web Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty): For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves  PH71376 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves  PH71376 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).


OpenCVE Recommended Actions

  • Apply the published PTFs (SJ10122, SJ10121, SJ10120, SJ10119) for the IBM i version in use.
  • If running an unsupported version of the affected IBM WebSphere Application Server or Liberty, upgrade to a supported, fixed version.
  • If patching is delayed, disable or remove the Intelligent Management WebServer Plug‑in component until a fix can be applied.

Generated by OpenCVE AI on June 24, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Title WebSphere Application Server is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ] WebSphere Application Server Remote Code Execution
First Time appeared Ibm websphere Application Server
CPEs cpe:2.3:a:ibm:i:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm websphere Application Server
References

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in. IBM WebSphere Application Server and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.
Title IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ] WebSphere Application Server is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.
Title IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]
First Time appeared Ibm
Ibm i
Weaknesses CWE-94
CPEs cpe:2.3:a:ibm:i:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm i
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Ibm I Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-07-09T19:54:37.565Z

Reserved: 2026-05-20T11:11:47.376Z

Link: CVE-2026-9072

cve-icon Vulnrichment

Updated: 2026-06-22T17:49:10.115Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')