Skip to main content

IBM WebSphere Plug-ins EUVDEUVD-2026-31927

| CVE-2026-8633 CRITICAL
Code Injection (CWE-94)
2026-05-26 ibm GHSA-536c-j2qm-3hw6
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 08:34 vuln.today

DescriptionCVE.org

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request.

AnalysisAI

Remote code execution in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows unauthenticated network attackers to execute arbitrary code via a specially crafted HTTP request. The CVSS 9.8 rating reflects complete confidentiality, integrity, and availability impact with no authentication or user interaction required, though EPSS scores it at only 0.20% probability and CISA SSVC reports no current exploitation. No public exploit has been identified at time of analysis, but IBM has released a patch.

Technical ContextAI

The Web Server Plug-ins are a connector module loaded into front-end web servers (such as IBM HTTP Server, Apache, or IIS) that forward HTTP requests to back-end WebSphere Application Server or WebSphere Liberty instances. Per the CPE (cpe:2.3:a:ibm:web_server_plug-ins_for_websphere_application_server_and_websphere_liberty), the flaw resides in this plug-in component rather than the application server itself, meaning the vulnerable code path sits at the perimeter of the typical Java EE/Jakarta EE deployment. The root cause is classified as CWE-94 (Improper Control of Generation of Code, i.e., Code Injection), indicating the plug-in processes attacker-controlled input in a way that allows it to be interpreted as executable code or directives rather than data.

RemediationAI

Apply the patch available per IBM's advisory at https://www.ibm.com/support/pages/node/7274072 - exact fix-pack versions should be taken from that page since the input data does not enumerate them and exact fix versions are not independently confirmed here. If immediate patching is not feasible, compensating controls include restricting inbound HTTP/HTTPS access to the web server tier hosting the plug-in (allowlisting trusted upstream proxies or WAF egress IPs), deploying a WAF rule set in front of the plug-in to inspect and reject malformed or anomalously crafted requests (note: without IBM-published indicators or request signatures this is best-effort and may produce false positives against legitimate traffic), and increasing logging on the plug-in and back-end WebSphere request handlers to detect anomalous request patterns; isolating the plug-in host segment from sensitive back-end systems can also limit blast radius if RCE occurs but breaks the application's normal request flow if mis-scoped.

Share

EUVD-2026-31927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy