Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request.
AnalysisAI
Remote code execution in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows unauthenticated network attackers to execute arbitrary code via a specially crafted HTTP request. The CVSS 9.8 rating reflects complete confidentiality, integrity, and availability impact with no authentication or user interaction required, though EPSS scores it at only 0.20% probability and CISA SSVC reports no current exploitation. No public exploit has been identified at time of analysis, but IBM has released a patch.
Technical ContextAI
The Web Server Plug-ins are a connector module loaded into front-end web servers (such as IBM HTTP Server, Apache, or IIS) that forward HTTP requests to back-end WebSphere Application Server or WebSphere Liberty instances. Per the CPE (cpe:2.3:a:ibm:web_server_plug-ins_for_websphere_application_server_and_websphere_liberty), the flaw resides in this plug-in component rather than the application server itself, meaning the vulnerable code path sits at the perimeter of the typical Java EE/Jakarta EE deployment. The root cause is classified as CWE-94 (Improper Control of Generation of Code, i.e., Code Injection), indicating the plug-in processes attacker-controlled input in a way that allows it to be interpreted as executable code or directives rather than data.
RemediationAI
Apply the patch available per IBM's advisory at https://www.ibm.com/support/pages/node/7274072 - exact fix-pack versions should be taken from that page since the input data does not enumerate them and exact fix versions are not independently confirmed here. If immediate patching is not feasible, compensating controls include restricting inbound HTTP/HTTPS access to the web server tier hosting the plug-in (allowlisting trusted upstream proxies or WAF egress IPs), deploying a WAF rule set in front of the plug-in to inspect and reject malformed or anomalously crafted requests (note: without IBM-published indicators or request signatures this is best-effort and may produce false positives against legitimate traffic), and increasing logging on the plug-in and back-end WebSphere request handlers to detect anomalous request patterns; isolating the plug-in host segment from sensitive back-end systems can also limit blast radius if RCE occurs but breaks the application's normal request flow if mis-scoped.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31927
GHSA-536c-j2qm-3hw6