Skip to main content

IBM WebSphere Application Server CVE-2026-11595

| EUVDEUVD-2026-40398 HIGH
Path Traversal (CWE-22)
2026-06-30 psirt@us.ibm.com GHSA-4qvc-jg4j-cv44
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote read via a console help endpoint (AV:N/AC:L/PR:N/UI:N) causing file disclosure only, so C:H with I:N/A:N and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jul 02, 2026 - 18:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:22 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 18:22 NVD
MEDIUM HIGH
CVSS changed
Jul 02, 2026 - 18:22 NVD
4.3 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Jun 30, 2026 - 20:37 vuln.today

DescriptionNVD

IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.

AnalysisAI

Directory traversal (CWE-22) in the administrative console's integrated help system of IBM WebSphere Application Server (traditional) 8.5 and 9.0 lets remote attackers read sensitive files outside the intended help-content directory, disclosing confidential information. CVSS 7.5 reflects unauthenticated network reach with high confidentiality impact but no integrity or availability effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach admin console over network
Delivery
Request help system with traversal payload
Exploit
Escape help content directory
Execution
Read arbitrary server-readable file
Impact
Exfiltrate sensitive information

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the WebSphere Application Server administrative (ISC) console and specifically its integrated help system endpoint on an affected traditional build (9.0 or 8.5). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a real but non-urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the WebSphere administrative console over the network sends a crafted request to the integrated help system containing directory-traversal sequences, causing the server to return the contents of a file outside the help-content directory (for example a configuration or credential-bearing file readable by the server process). Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, no authentication or user interaction is required once the endpoint is reachable; no public proof-of-concept has been identified at time of analysis.
Remediation Apply the fix from IBM's official advisory at https://www.ibm.com/support/pages/node/7278590, which for WebSphere traditional is typically delivered as an interim fix (APAR/PTF) or a cumulative Fix Pack for the 8.5.5.x and 9.0.5.x streams; the specific patched Fix Pack/iFix identifier is provided in that advisory and should be applied per your maintenance stream, as no exact fix version is given in the source data here. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all WAS 8.5 and 9.0 instances; restrict administrative console network access to internal-trusted networks only using firewall or load-balancer rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

CVE-2026-11595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy