Websphere Application Server
by IBM
CVEs (462)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-10845 | 0.00 | — | 0.00 | Jun 22, 2026 | IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications. | |||
| CVE-2026-9072 | 0.00 | — | 0.00 | Jun 22, 2026 | IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can… | |||
| CVE-2026-8858 | 0.00 | — | 0.00 | Jun 22, 2026 | IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker… | |||
| CVE-2025-14917 | 0.00 | — | 0.00 | Mar 25, 2026 | IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings. | |||
| CVE-2025-14915 | 0.00 | — | 0.01 | Mar 25, 2026 | IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server. | |||
| CVE-2026-1561 | 0.00 | — | 0.00 | Mar 25, 2026 | IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network… | |||
| CVE-2025-14923 | 0.00 | — | 0.00 | Mar 3, 2026 | IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings. | |||
| CVE-2025-13333 | 0.00 | — | 0.00 | Feb 17, 2026 | IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings. | |||
| CVE-2025-14914 | 0.00 | — | 0.00 | Feb 2, 2026 | IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. | |||
| CVE-2025-12635 | 0.00 | — | 0.00 | Dec 8, 2025 | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL… | |||
| CVE-2025-36099 | 0.00 | — | 0.00 | Sep 29, 2025 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A privileged user could exploit this vulnerability to cause the server to consume memory resources. | |||
| CVE-2025-33142 | 0.00 | — | 0.00 | Aug 14, 2025 | IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for TLS connections. | |||
| CVE-2025-36047 | 0.00 | — | 0.00 | Aug 14, 2025 | IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. | |||
| CVE-2025-36000 | 0.00 | — | 0.00 | Aug 12, 2025 | IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to… | |||
| CVE-2025-36124 | 0.00 | — | 0.00 | Aug 12, 2025 | IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration | |||
| CVE-2024-56339 | 0.00 | — | 0.00 | Aug 7, 2025 | IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration. | |||
| CVE-2025-36097 | 0.00 | — | 0.00 | Jul 16, 2025 | IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 are vulnerable to a denial of service, caused by a stack-based overflow. An attacker can send a specially crafted request that cause the server to consume excessive memory… | |||
| CVE-2025-36038 | 0.00 | — | 0.08 | Jun 25, 2025 | IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. | |||
| CVE-2025-33104 | 0.00 | — | 0.00 | May 14, 2025 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||
| CVE-2025-27907 | 0.00 | — | 0.00 | Apr 22, 2025 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. |
- CVE-2026-10845Jun 22, 2026risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.
- CVE-2026-9072Jun 22, 2026risk 0.00cvss —epss 0.00
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can…
- CVE-2026-8858Jun 22, 2026risk 0.00cvss —epss 0.00
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker…
- CVE-2025-14917Mar 25, 2026risk 0.00cvss —epss 0.00
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
- CVE-2025-14915Mar 25, 2026risk 0.00cvss —epss 0.01
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.
- CVE-2026-1561Mar 25, 2026risk 0.00cvss —epss 0.00
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network…
- CVE-2025-14923Mar 3, 2026risk 0.00cvss —epss 0.00
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings.
- CVE-2025-13333Feb 17, 2026risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings.
- CVE-2025-14914Feb 2, 2026risk 0.00cvss —epss 0.00
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution.
- CVE-2025-12635Dec 8, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL…
- CVE-2025-36099Sep 29, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A privileged user could exploit this vulnerability to cause the server to consume memory resources.
- CVE-2025-33142Aug 14, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for TLS connections.
- CVE-2025-36047Aug 14, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
- CVE-2025-36000Aug 12, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to…
- CVE-2025-36124Aug 12, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration
- CVE-2024-56339Aug 7, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration.
- CVE-2025-36097Jul 16, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 are vulnerable to a denial of service, caused by a stack-based overflow. An attacker can send a specially crafted request that cause the server to consume excessive memory…
- CVE-2025-36038Jun 25, 2025risk 0.00cvss —epss 0.08
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.
- CVE-2025-33104May 14, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
- CVE-2025-27907Apr 22, 2025risk 0.00cvss —epss 0.00
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Page 5 of 24