Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable with no credentials required; cache poisoning path justifies UI:N; bounded C:L/I:L because session data and content integrity are affected but full system compromise is not.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking
AnalysisAI
HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector AV:N/AC:L/PR:N/UI:N indicates no special conditions are required for the injection act itself - an unauthenticated attacker with network access to the IBM DevOps Plan HTTP interface can send a malformed HOST header. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) accurately reflects the network-reachable, zero-authentication, low-complexity nature of the injection vector itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP request to IBM DevOps Plan with a crafted HOST header (e.g., `Host: attacker.com`) targeting the application's link-generation or redirect functionality; the server reflects this value unsanitized into a response (e.g., a password-reset URL or a Location header), which a cached proxy stores and serves to subsequent legitimate users. Victims loading the poisoned page execute attacker-controlled JavaScript (XSS), or are redirected to an attacker-controlled domain for credential harvesting. … |
| Remediation | Apply the vendor-released patch per IBM's advisory at https://www.ibm.com/support/pages/node/7275005. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Devops Plan
View allIBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the
Devops Plan versions up to 3.0.5 is affected by improper restriction of excessive authentication attempts (CVSS 5.9).
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36252
GHSA-p4v4-3mfq-ffjr