Skip to main content

IBM WebSphere EUVDEUVD-2026-40397

| CVE-2026-11708 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 psirt@us.ibm.com GHSA-6r45-rmg6-v6j9
9.3
CVSS 3.1 · Vendor: us
Share

Severity by source

Vendor (us) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
6.1 MEDIUM

Reflected/stored XSS needs a privileged admin to view the payload (UI:R) and realistically yields only limited session-scoped confidentiality/integrity impact (C:L/I:L), with scope change as script crosses into the admin context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (us).

CVSS VectorVendor: us

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 20:34 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.

AnalysisAI

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets an attacker inject malicious script into the administrative console's integrated help system, which then executes in the browser of an administrator who views the affected page. Successful exploitation can hijack the admin session or perform actions in the console UI context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed admin console
Delivery
Plant XSS payload in help input
Exploit
Admin views crafted help page
Execution
Script executes in admin browser
Impact
Hijack console session / act as admin

Vulnerability AssessmentAI

Exploitation Exploitation targets the administrative console's integrated help system in WebSphere Application Server 9.0 or 8.5, and requires that a privileged administrator view the attacker-influenced help content - the CVSS UI:R flag confirms required user interaction, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) yields a 9.3 'Critical' score, but that rating is unusually high for a console help-system XSS and warrants scrutiny: the C:H/I:H impact ratings are aggressive for reflected/stored XSS, where realistic impact is typically limited to the victim admin's session (low confidentiality/integrity). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious input or link that, when processed by the administrative console's help system, injects JavaScript that executes in the browser of a logged-in WebSphere administrator who views the affected help page. Because the script runs in the privileged console context, it could steal the admin's session token or issue console requests on the admin's behalf. …
Remediation Apply the vendor remediation described in IBM's advisory at https://www.ibm.com/support/pages/node/7278590; the input does not specify an exact patched fixpack version, so this is best characterized as a patch available per vendor advisory - confirm the precise interim fix or fixpack level (for the 9.0 and 8.5 streams) directly from that page rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct an inventory of all systems running WebSphere 9.0 and 8.5; implement network-level access controls restricting administrative console access to trusted administrative networks only; enable enhanced audit logging for all administrative console activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

EUVD-2026-40397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy