VYPR
← All advisories
Medium severity6.4NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2025-36126

CVE-2025-36126

Description

IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Cognos Analytics and Transformer are vulnerable to stored XSS in the Admin interface, allowing credential disclosure by a privileged user.

Vulnerability

IBM Cognos Analytics versions 11.2.0, 12.0, and 12.1.0, and IBM Cognos Transformer versions 12.0, 11.2.4, and 12.1.0 are affected by a stored cross-site scripting (XSS) vulnerability in the Cognos Administration interface. A privileged user can embed arbitrary JavaScript code in the Web UI, which is then executed when other administrators access the affected page [1].

Exploitation

An attacker requires a privileged account on the Cognos system (e.g., an administrator role). The attacker crafts malicious JavaScript code and injects it via the administration interface, for example by altering a configuration field or creating a resource with embedded script. Upon visiting the affected page, any other user with access to that interface will execute the script [1].

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim within the context of their session, potentially leading to disclosure of credentials or other sensitive information. The attack alters intended functionality and compromises the confidentiality and integrity of the administration session [1].

Mitigation

IBM has released security updates addressing this vulnerability. Affected users should apply the latest fix packs as recommended in the IBM security bulletin [1]. If immediate patching is not possible, restrict access to the administration interface to trusted users only.

References
  1. Security Bulletin: IBM Cognos Analytics is affected by multiple security vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.