Skip to main content

Websphere Application Server Liberty

5 CVEs product

Monthly

CVE-2026-11541 CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.

Request Smuggling IBM Information Disclosure Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-9320 HIGH PATCH This Week

Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.

IBM Denial Of Service Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-9071 HIGH PATCH This Week

Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.

IBM Denial Of Service Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-8646 CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.

IBM Request Smuggling Information Disclosure Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2023-46158 CRITICAL Act Now

IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Websphere Application Server Liberty
NVD
CVSS 3.1
9.8
EPSS
0.5%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.

Request Smuggling IBM Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.

IBM Denial Of Service Websphere Application Server +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.

IBM Denial Of Service Websphere Application Server +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.

IBM Request Smuggling Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Websphere Application Server Liberty
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy