Websphere Application Server Liberty
Monthly
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.
Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.
Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.
HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.
Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.
Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.
HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.