Skip to main content

IBM watsonx.data CVE-2025-36320

| EUVDEUVD-2025-210382 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 ibm GHSA-4w8v-rh82-h7w8
6.4
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to load the affected page (UI:R); PR:L reflects mandatory prior authentication; scope changes to victim sessions.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:20 vuln.today

DescriptionCVE.org

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privileged users to inject persistent JavaScript into the Web UI, which then executes within the browser sessions of other authenticated users visiting the affected page. The CVSS scope change (S:C) confirms the payload crosses the security boundary from the attacker's session into victims' sessions, enabling credential harvesting within trusted contexts. No public exploit code or CISA KEV listing has been identified at time of analysis, but the stored and persistent nature of the injection elevates operational impact beyond what the 6.4 base score alone conveys.

Technical ContextAI

IBM watsonx.data intelligence is an enterprise data lakehouse platform combining data management, governance, and AI workloads. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the application fails to adequately sanitize or encode user-supplied input before persisting and re-rendering it as HTML or JavaScript in the Web UI. The CPE string cpe:2.3:a:ibm:watsonx.data_intelligence:*:*:*:*:*:*:*:* covers all sub-versions within the 5.2.0-5.3.0 range. Stored XSS is architecturally more dangerous than reflected XSS because the malicious payload survives server-side and executes for every victim who loads the compromised page, without requiring the attacker to re-deliver or socially engineer each target individually.

RemediationAI

Apply the vendor-released patch per IBM's security advisory at https://www.ibm.com/support/pages/node/7277801; the exact fixed version number is not independently confirmed in the available data beyond 'patch available from vendor' - verify the target upgrade version directly from the advisory before deploying. As an interim compensating control prior to patching, restrict access to the watsonx.data intelligence Web UI to trusted internal network segments or require VPN, reducing the pool of potential attackers to those already holding network access. Additionally, deploying a strict Content Security Policy (CSP) header on the Web UI can limit JavaScript execution from injected payloads; note that CSP bypass techniques exist and this measure reduces but does not eliminate risk, and must not substitute for patching.

Share

CVE-2025-36320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy