Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Reflected/stored XSS needs a privileged admin to view the payload (UI:R) and realistically yields only limited session-scoped confidentiality/integrity impact (C:L/I:L), with scope change as script crosses into the admin context.
Primary rating from Vendor (us).
CVSS VectorVendor: us
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.
AnalysisAI
Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets an attacker inject malicious script into the administrative console's integrated help system, which then executes in the browser of an administrator who views the affected page. Successful exploitation can hijack the admin session or perform actions in the console UI context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets the administrative console's integrated help system in WebSphere Application Server 9.0 or 8.5, and requires that a privileged administrator view the attacker-influenced help content - the CVSS UI:R flag confirms required user interaction, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) yields a 9.3 'Critical' score, but that rating is unusually high for a console help-system XSS and warrants scrutiny: the C:H/I:H impact ratings are aggressive for reflected/stored XSS, where realistic impact is typically limited to the victim admin's session (low confidentiality/integrity). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious input or link that, when processed by the administrative console's help system, injects JavaScript that executes in the browser of a logged-in WebSphere administrator who views the affected help page. Because the script runs in the privileged console context, it could steal the admin's session token or issue console requests on the admin's behalf. … |
| Remediation | Apply the vendor remediation described in IBM's advisory at https://www.ibm.com/support/pages/node/7278590; the input does not specify an exact patched fixpack version, so this is best characterized as a patch available per vendor advisory - confirm the precise interim fix or fixpack level (for the 9.0 and 8.5 streams) directly from that page rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct an inventory of all systems running WebSphere 9.0 and 8.5; implement network-level access controls restricting administrative console access to trusted administrative networks only; enable enhanced audit logging for all administrative console activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Websphere Application Server
View allIBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.
The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co
Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe
IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40397
GHSA-6r45-rmg6-v6j9