Skip to main content

IBM WebSphere Application Server EUVDEUVD-2026-38253

| CVE-2026-9071 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-22 ibm GHSA-x466-m8cx-8p3m
7.5
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated, low-complexity crafted request causes memory exhaustion - availability-only impact, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 16:03 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.

AnalysisAI

Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebSphere endpoint
Delivery
Craft malicious request payload
Exploit
Send request to triggering handler
Execution
Server allocates excessive memory
Persist
Repeat to exhaust JVM heap
Impact
Application server becomes unresponsive

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of IBM WebSphere Application Server traditional 8.5/9.0 and Liberty 17.0.0.3 through 26.0.0.6, requiring only network reachability to a listening WAS HTTP or service endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates a network-reachable, low-complexity, unauthenticated attack producing high availability impact with no confidentiality or integrity consequences - a classic remote DoS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network sends one or more specially crafted requests to an exposed WebSphere or Liberty HTTP/SOAP endpoint; the server allocates excessive memory while parsing or processing the request, and repeated requests drive the JVM into garbage-collection thrashing or OutOfMemoryError, taking the application offline. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, the attack can be automated from any internet host without credentials or social engineering.
Remediation Patch available per vendor advisory - apply the interim fix or fix pack documented at https://www.ibm.com/support/pages/node/7276579 for the specific WAS 8.5, 9.0, or Liberty release in use. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all production and non-production instances of IBM WebSphere Application Server 8.5, 9.0 and WebSphere Liberty 17.0.0.3 through 26.0.0.6. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

EUVD-2026-38253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy