Medium severity5.4NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2025-3633

Description

IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Cognos Analytics and Transformer are vulnerable to stored XSS, allowing remote attackers to inject malicious scripts into the web interface and potentially steal credentials.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in IBM Cognos Analytics versions 11.2.0, 11.2.4, 12.0, and 12.1.0, and IBM Cognos Transformer versions 11.2.4, 12.0, and 12.1.0 [1]. The vulnerability allows an attacker to inject arbitrary JavaScript code into the web user interface, which may alter intended functionality [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by crafting a malicious request that includes JavaScript code [1]. The injected script executes within the context of the victim's browser session when the victim interacts with the affected application [1].

Impact

Successful exploitation could lead to the disclosure of credentials within a trusted session [1]. The attacker may also perform actions on behalf of the victim, access sensitive data, or deface the application [1].

Mitigation

IBM has released security updates to address this vulnerability. Users should upgrade to the latest versions as indicated in the security bulletin [1]. For Cognos Analytics, versions 11.2.5 and later are fixed; for Cognos Transformer, version 12.2.0 and later are fixed (exact versions per the bulletin). No workarounds are specified.

References

Security Bulletin: IBM Cognos Analytics is affected by multiple security vulnerabilities

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Cognos Transformerllm-fuzzy
Range: 11.2.4, 12.0, 12.1.0
IBM/Cognos Analyticsllm-fuzzy
Range: 11.2.0, 11.2.4, 12.0, 12.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

www.ibm.com/support/pages/node/7272628nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000