Skip to main content

Websphere Extreme Scale EUVDEUVD-2026-40387

| CVE-2026-13772 CRITICAL
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-06-30 ibm GHSA-w6x5-7fjj-v49p
9.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable OQL sink exploitable by a low-privilege authenticated user with no interaction; constructor execution yields total impact, and cross-node/JEP-290 bypass justifies scope change (S:C).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 02, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:52 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 18:52 NVD
HIGH CRITICAL
CVSS changed
Jul 02, 2026 - 18:52 NVD
7.5 (HIGH) 9.9 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 19:53 vuln.today

DescriptionNVD

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

AnalysisAI

Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: inventory all IBM WebSphere eXtreme Scale 8.6.1.x installations and isolate affected grids from untrusted networks if immediate patching is not feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy