Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service and a potential remote code execution due to improper input validation.
Published: 2026-05-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server 8.5 and 9.0 are vulnerable to denial of service and potential remote code execution due to improper input validation. The flaw, identified by APAR PH71265 and classified as CWE‑94, permits an attacker to send specially crafted HTTP requests that can cause the server to crash or execute arbitrary logic. The high CVSS score of 9.8 indicates a severe risk, though the advisory does not enumerate all possible impact scenarios.

Affected Systems

All IBM HTTP Server installations in the 8.5.x series from 8.5.0.0 through 8.5.5.29 and the 9.0.x series from 9.0.0.0 through 9.0.5.28, including those bundled with IBM WebSphere Application Server, are affected. The warning applies across all operating system platforms supported by these server versions.

Risk and Exploitability

The CVSS score of 9.8 marks the issue as critical, while the EPSS score of <1% indicates very low but non‑zero exploitation likelihood. It is not listed in CISA’s KEV catalog, suggesting that no publicly disclosed exploits currently exist. The likely attack vector is remote, unauthenticated HTTP traffic directed at the exposed server, especially if the service is reachable from untrusted networks. In environments where the server is exposed to the internet, the risk is elevated due to the potential for remote code execution and denial of service.

Generated by OpenCVE AI on June 11, 2026 at 21:19 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265. For IBM HTTP Server used by IBM WebSphere Application Server: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265 https://www.ibm.com/support/pages/node/7239806 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).  For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265 https://www.ibm.com/support/pages/node/7239806 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the IBM interim fix PH71265 for IBM HTTP Server, ensuring that any required minimal fix‑pack level is satisfied before installation.
  • Alternatively, upgrade to Fix Pack 9.0.5.29 or later for the 9.x line, or to Fix Pack 8.5.5.30 or later for the 8.5.x line when they become available.
  • If an interim patch or upgrade cannot be applied immediately, limit the IBM HTTP Server’s exposure to trusted networks by configuring firewall rules or network segmentation to restrict access to the vulnerable interfaces.

Generated by OpenCVE AI on June 11, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service and a potential remote code execution due to improper input validation.

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:http_server:8.5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0.0:*:*:*:*:*:*:*

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to denial of service and a potential remote code execution due to improper input validation. IBM HTTP Server 8.5, and 9.0
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected DOS and RCE. IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm http Server
Weaknesses CWE-94
CPEs cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:*:*:*:*:*:*:*		 cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm http Server
References

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to denial of service and a potential remote code execution due to improper input validation.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected DOS and RCE.
First Time appeared Ibm
Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
Weaknesses CWE-444
CPEs cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Ibm Http Server Web Server Plug Ins For Websphere Application Server And Websphere Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-11T14:03:44.285Z

Reserved: 2026-05-21T14:32:03.337Z

Link: CVE-2026-9170

cve-icon Vulnrichment

Updated: 2026-05-27T13:58:06.591Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T18:16:57.987

Modified: 2026-06-11T14:16:33.060

Link: CVE-2026-9170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T21:30:05Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')