Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows certificate listings retrieved via a browser session to return a JSON payload while incorrectly specifying the response Content-Type as text/html. Because the content is delivered with an HTML MIME type, browsers may interpret the JSON data as executable script under certain conditions. This creates an opportunity for JavaScript injection, potentially leading to cross-site scripting (XSS).
AnalysisAI
IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.
Technical ContextAI
The vulnerability stems from Content-Type header mismatch (CWE-79: Improper Neutralization of Input During Web Page Generation), a subset of XSS. IBM's identity and access management products expose a certificate listing endpoint that generates valid JSON responses but labels them with the HTML MIME type. Modern browsers apply content-sniffing heuristics and MIME-type-based script execution policies; when JSON containing untrusted or user-controlled data is served as text/html, the JSON structure itself can be interpreted as JavaScript (particularly in older browsers or those with permissive parsing). The affected products span both containerized (Container) and traditional deployment models (non-Container) of IBM Verify Identity Access (versions 11.0-11.0.2) and IBM Security Verify Access (versions 10.0-10.0.9.1), as indicated by the four CPE strings covering both product lines and version ranges.
RemediationAI
Patch available per vendor advisory: update IBM Verify Identity Access Container to version 11.0.3 or later and IBM Security Verify Access Container to version 10.0.10 or later; similarly, update non-containerized deployments of IBM Verify Identity Access to 11.0.3 or later and IBM Security Verify Access to 10.0.10 or later. The fix involves correcting the Content-Type header from text/html to application/json for certificate listing endpoints. Consult the vendor advisory at https://www.ibm.com/support/pages/node/7268253 for detailed patch availability and deployment guidance. As a temporary workaround pending patching, restrict access to certificate listing endpoints to trusted networks or implement web application firewall rules to enforce correct Content-Type headers on responses from affected endpoints.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18067
GHSA-crwf-9ph9-47f8