Skip to main content

IBM WebSphere CVE-2026-8858

| EUVDEUVD-2026-38284 HIGH
Code Injection (CWE-94)
2026-06-22 ibm GHSA-mfq9-47xf-5654
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Adjacent vector because attacker must impersonate WAS on the plug-in's network; AC:H reflects the spoofing/positioning prerequisite; PR:N and UI:N since no credentials or user action needed; full CIA impact on the plug-in host.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 23, 2026 - 21:04 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 21:02 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 20:52 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 20:52 NVD
7.5 (HIGH) 8.8 (HIGH)
Analysis Generated
Jun 22, 2026 - 16:02 vuln.today

DescriptionNVD

IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in.

AnalysisAI

Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent-network foothold near plug-in host
Delivery
Spoof or hijack WAS backend identity
Exploit
Plug-in sends request to attacker-controlled endpoint
Execution
Return crafted response triggering CWE-94 in plug-in
Persist
Execute code in plug-in process or crash service
Impact
Pivot into web tier and hosted applications

Vulnerability AssessmentAI

Exploitation Attacker must be on the same adjacent network segment as the WebSphere Web Server Plug-in host and able to impersonate the upstream IBM WebSphere Application Server or WAS Liberty instance (e.g., via ARP/DNS spoofing, a compromised adjacent host, or sitting on the plug-in-to-WAS path), and must induce the plug-in to process a crafted response from the spoofed backend; the affected configuration is any IBM i 7.3/7.4/7.5/7.6 deployment running the WebSphere Web Server Plug-in at version ≤1.8.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 8.8 CVSS base score and the SSVC 'total' technical impact rating both signal that successful exploitation yields a complete takeover of the web-server/plug-in process, which typically runs with significant privileges in front of business-critical Java workloads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained a foothold on the internal network between an IHS/Apache front-end and the WebSphere Application Server (for example via a compromised adjacent host, ARP spoofing, or rogue DHCP) impersonates the legitimate WAS endpoint and replies to plug-in requests with a crafted response that triggers the code-injection flaw inside the plug-in process. Successful exploitation lets the attacker execute arbitrary code in the context of the web-tier server or crash the plug-in to deny service to all hosted applications. …
Remediation Patch available per vendor advisory - apply the IBM-provided fix for the WebSphere Web Server Plug-in on IBM i 7.3, 7.4, 7.5, and 7.6 as documented at https://www.ibm.com/support/pages/node/7277344, upgrading the plug-in past the 1.8.4 vulnerable level on every web-tier host that fronts WAS or Liberty. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all IBM i 7.3-7.6 systems running WebSphere Web Server Plug-in version 1.8.4 or earlier and assess adjacent network exposure from untrusted segments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy