Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable and unauthenticated, but AC:H because exploitation requires a pre-existing unfiltered deserialization sink and chaining the separate WAS-26 ORB flaw; scope changes as SSRF pivots beyond the vulnerable component.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.
AnalysisAI
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WebSphere Application Server process expose a reachable, unfiltered ObjectInputStream deserialization sink into which the attacker can inject serialized data - this is the exact precondition named in the description ('any unfiltered ObjectInputStream sink in WAS'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are partially conflicting and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can deliver serialized data to an exposed WebSphere Application Server endpoint that deserializes objects (an unfiltered ObjectInputStream) sends a crafted payload embedding a malicious IOR string. Deserialization triggers one of the ~50 ogclient.jar CORBA stubs to call ORB.string_to_object(), forcing the JVM to open an outbound IIOP connection to the attacker's host (SSRF); combined with the WAS-26 ORB class-instantiation flaw, the returned data drives code execution on the WXS/WAS JVM. … |
| Remediation | Apply the vendor fix referenced in IBM's advisory at https://www.ibm.com/support/pages/node/7278594; a patch is available per vendor advisory, though no discrete fix version string is provided in the input, so confirm the exact iFix/APAR level against that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running IBM WebSphere eXtreme Scale versions 8.6.1.0-8.6.1.6 and restrict network access if immediate patching is not feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40386
GHSA-hgv4-prq7-c9mx