Skip to main content

IBM TRIRIGA EUVDEUVD-2026-38280

| CVE-2026-11372 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 ibm GHSA-h4m9-g3gq-cc2g
5.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
MEDIUM
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to view the page (UI:R), and script execution in victim's browser constitutes a scope change (S:C); PR:L reflects mandatory authenticated injection.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 16:06 vuln.today

DescriptionNVD

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Stored cross-site scripting in IBM TRIRIGA Application Platform 5.0.2 and 5.0.3 allows an authenticated low-privileged user to inject arbitrary JavaScript into the Web UI, which executes in the browser context of other users who view the affected page - enabling session hijacking and credential theft within trusted sessions. No public exploit code has been identified at time of analysis, and IBM has released a patch via their support advisory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege TRIRIGA credentials
Delivery
Authenticate to TRIRIGA Web UI
Exploit
Inject JavaScript payload into editable UI field
Install
Payload persists in application database
C2
Privileged victim user views affected record
Execute
Injected script executes in victim browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated session on IBM TRIRIGA Application Platform (PR:L per CVSS vector) - anonymous access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) is noteworthy because UI:N is atypical for XSS - most stored XSS is rated UI:R since a victim must load the affected page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated TRIRIGA user with minimal privileges - such as a facilities coordinator or read-write tenant account - navigates to a user-editable Web UI field (such as a work order description, asset note, or profile field) and submits a crafted payload containing malicious JavaScript. When a higher-privileged user such as a system administrator subsequently views the record containing the injected content, the script executes silently in their browser, exfiltrating their session token or credentials to an attacker-controlled endpoint. …
Remediation Apply the vendor-released patch as described in IBM's support advisory at https://www.ibm.com/support/pages/node/7276076. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-0374 HIGH
8.8 Jul 01

The builder tools in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 all

CVE-2017-1373 HIGH
8.8 Jul 21

Reports executed in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 contains a vulnerability that could allow an

CVE-2017-1153 HIGH
8.8 Mar 27

IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability that could allow an authenticated user to execute ac

CVE-2016-2917 HIGH
8.8 Nov 30

The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to

CVE-2017-1371 HIGH
8.8 Jul 21

Builder tools running in the IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 contains a vulnerability that could allo

CVE-2016-0386 HIGH
8.0 Jul 02

Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2

CVE-2014-4840 HIGH
7.5 Oct 19

IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before

CVE-2016-0362 HIGH
7.7 Jul 01

IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authentica

CVE-2020-4277 HIGH
7.5 Apr 17

IBM TRIRIGA Application Platform 3.5.3 and 3.6.1 discloses sensitive information in error messages that could aid an att

CVE-2023-27876 HIGH
7.1 Apr 07

IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high seve

CVE-2019-4208 HIGH
7.1 May 07

IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when pro

CVE-2012-5950 MEDIUM
6.8 Apr 23

Multiple cross-site request forgery (CSRF) vulnerabilities in IBM TRIRIGA Application Platform 2.x and 3.x before 3.3, a

Share

EUVD-2026-38280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy