Skip to main content

IBM Cognos Analytics CVE-2025-36126

| EUVDEUVD-2025-209930 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 ibm GHSA-36w6-vpxm-3r3c
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:31 vuln.today

DescriptionCVE.org

IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Stored cross-site scripting in IBM Cognos Analytics and Cognos Transformer's Administration interface allows an authenticated low-privileged user to inject persistent JavaScript payloads into the Web UI, which then execute in the browser sessions of other users - including higher-privileged administrators - potentially leading to credential theft or session hijacking. Affected are Cognos Analytics versions 11.2.0, 12.0, and 12.1.0, and Cognos Transformer versions 11.2.4, 12.0, and 12.1.0. No public exploit identified at time of analysis, and the EPSS score of 0.03% (8th percentile) combined with SSVC exploitation status of 'none' indicates very low observed exploitation pressure.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) covers failures to sanitize user-supplied input before it is rendered in HTML contexts. In this case, the Cognos Administration web interface - part of IBM's enterprise business intelligence platform - does not adequately encode or escape user-controlled data before persisting and re-rendering it. The CVSS Scope:Changed indicator confirms the vulnerability crosses a security boundary: the attacker's injected payload executes in the security context of a different user's browser session, not just their own. CPE strings cpe:2.3:a:ibm:cognos_analytics and cpe:2.3:a:ibm:cognos_transformer identify both products as affected across multiple major versions. The stored nature of the XSS (as opposed to reflected) means the payload persists server-side and activates on every subsequent page load by any user viewing the compromised admin view, amplifying potential victims without further attacker interaction.

RemediationAI

IBM has released a patch per the vendor advisory at https://www.ibm.com/support/pages/node/7272628 - organizations should consult that page for exact fix versions and apply the appropriate update for their Cognos Analytics or Cognos Transformer release line. The advisory should be reviewed to confirm whether fixes are available for all listed branches (11.2.x, 12.0, 12.1.0) or only select versions. Until patching is complete, compensating controls include restricting write access to Cognos Administration to only the minimum required set of users, enabling audit logging on administrative UI actions to detect anomalous JavaScript injection attempts, and enforcing Content Security Policy (CSP) headers if configurable at the web server or reverse proxy layer - noting that CSP may interfere with legitimate Cognos JavaScript functionality and should be tested carefully. Network-level controls limiting Cognos Administration access to trusted internal segments reduce the reachable attacker surface but do not eliminate insider threat scenarios.

CVE-2022-38708 CRITICAL
9.1 Dec 19

IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack

CVE-2020-4377 CRITICAL
9.1 Aug 03

IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML dat

CVE-2019-4178 CRITICAL
9.1 Apr 15

IBM Cognos Analytics 11 could allow a remote attacker to traverse directories on the system. Rated critical severity (CV

CVE-2024-51466 CRITICAL
9.0 Dec 20

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) In

CVE-2021-29756 HIGH
8.8 Dec 03

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which cou

CVE-2021-29745 HIGH
8.8 Oct 15

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access

CVE-2021-29679 HIGH
8.8 Oct 15

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neu

CVE-2024-25047 HIGH
8.6 May 02

IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.2 is vulnerable to injection attacks in application l

CVE-2020-4388 HIGH
8.2 Oct 12

IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of service attack by failing to catch exceptions in a

CVE-2022-36773 HIGH
8.1 Sep 01

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when proc

CVE-2024-40695 HIGH
8.0 Dec 20

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by

CVE-2020-4302 HIGH
7.8 Oct 12

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CS

Share

CVE-2025-36126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy