Skip to main content

IBM CVE-2026-4364

| EUVDEUVD-2026-18067 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 ibm GHSA-crwf-9ph9-47f8
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 21:00 euvd
EUVD-2026-18067
Analysis Generated
Apr 01, 2026 - 21:00 vuln.today
Patch released
Apr 01, 2026 - 21:00 nvd
Patch available
CVE Published
Apr 01, 2026 - 20:34 nvd
MEDIUM 5.4

DescriptionCVE.org

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows certificate listings retrieved via a browser session to return a JSON payload while incorrectly specifying the response Content-Type as text/html. Because the content is delivered with an HTML MIME type, browsers may interpret the JSON data as executable script under certain conditions. This creates an opportunity for JavaScript injection, potentially leading to cross-site scripting (XSS).

AnalysisAI

IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.

Technical ContextAI

The vulnerability stems from Content-Type header mismatch (CWE-79: Improper Neutralization of Input During Web Page Generation), a subset of XSS. IBM's identity and access management products expose a certificate listing endpoint that generates valid JSON responses but labels them with the HTML MIME type. Modern browsers apply content-sniffing heuristics and MIME-type-based script execution policies; when JSON containing untrusted or user-controlled data is served as text/html, the JSON structure itself can be interpreted as JavaScript (particularly in older browsers or those with permissive parsing). The affected products span both containerized (Container) and traditional deployment models (non-Container) of IBM Verify Identity Access (versions 11.0-11.0.2) and IBM Security Verify Access (versions 10.0-10.0.9.1), as indicated by the four CPE strings covering both product lines and version ranges.

RemediationAI

Patch available per vendor advisory: update IBM Verify Identity Access Container to version 11.0.3 or later and IBM Security Verify Access Container to version 10.0.10 or later; similarly, update non-containerized deployments of IBM Verify Identity Access to 11.0.3 or later and IBM Security Verify Access to 10.0.10 or later. The fix involves correcting the Content-Type header from text/html to application/json for certificate listing endpoints. Consult the vendor advisory at https://www.ibm.com/support/pages/node/7268253 for detailed patch availability and deployment guidance. As a temporary workaround pending patching, restrict access to certificate listing endpoints to trusted networks or implement web application firewall rules to enforce correct Content-Type headers on responses from affected endpoints.

Share

CVE-2026-4364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy