Skip to main content

IBM Datacap CVE-2026-8059

| EUVDEUVD-2026-38282 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 ibm GHSA-8pwc-hwv4-w6j6
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
MEDIUM
qualitative
NVD
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Web UI XSS is network-delivered (AV:N); no auth required (PR:N); victim interaction needed (UI:R); scope changes to browser (S:C); no direct availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 16:06 vuln.today

DescriptionNVD

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Cross-site scripting in IBM Datacap and Datacap Navigator 9.1.7 through 9.1.9 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript within the Web UI, targeting authenticated users during active sessions. Successful exploitation can lead to credential theft or session hijacking by abusing the trust context of a legitimate user's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify XSS injection point in Datacap Web UI
Delivery
Craft JavaScript payload targeting credentials or session
Exploit
Deliver malicious link to authenticated Datacap user
Execution
Victim clicks link in active session
Persist
Injected script executes in victim's browser
Impact
Exfiltrate credentials or session token to attacker

Vulnerability AssessmentAI

Exploitation The vulnerability exists in the IBM Datacap and IBM Datacap Navigator Web UI, and requires that a victim user with an active authenticated session interact with an attacker-controlled input or URL - reflecting the UI:R CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS score is 6.1 (Medium), with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a reflected or stored XSS injection point in the IBM Datacap Web UI and crafts a malicious URL or input payload containing JavaScript designed to exfiltrate session cookies or capture credentials. The attacker delivers this payload to an authenticated Datacap user via phishing email or a malicious link; when the victim interacts with the link in their authenticated session, the injected script executes in their browser and transmits credentials or session tokens to an attacker-controlled endpoint. …
Remediation Apply the vendor-released patch per IBM's official advisory at https://www.ibm.com/support/pages/node/7276609. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-39736 CRITICAL
9.8 Jul 15

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper v

CVE-2026-8636 HIGH
7.5 Jun 22

Sensitive-data disclosure in IBM Datacap and Datacap Navigator (versions 9.1.7, 9.1.8, 9.1.9) lets an attacker recover u

CVE-2024-39731 HIGH
7.5 Jul 15

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 uses weaker than expected cryptographic algorithms that coul

CVE-2024-39732 HIGH
7.5 Jul 14

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments that cou

CVE-2024-39733 MEDIUM
5.5 Jul 14

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 stores user credentials in plain clear text which can be rea

CVE-2024-39730 MEDIUM
5.4 Jun 28

IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to hijack the clicking action of the victim.

CVE-2025-36027 MEDIUM
5.4 Jun 28

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to hijack the clicking action of the victim. By pe

CVE-2024-39735 MEDIUM
5.4 Jul 15

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. Rated medium severity

CVE-2024-39728 MEDIUM
5.4 Jul 15

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. Rated medium s

CVE-2026-9610 MEDIUM
5.3 Jun 22

Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local u

CVE-2024-39741 MEDIUM
5.3 Jul 15

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to traverse directories on the

CVE-2024-39740 MEDIUM
5.3 Jul 15

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 displays version information in HTTP requests that could all

Share

CVE-2026-8059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy