SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-11708 2026-06-30

CVE-2026-11708: Critical Cross-Site Scripting Flaw in IBM WebSphere Application Server

"A cross-site scripting vulnerability in the administrative console's integrated help system affects IBM WebSphere Application Server 9.0 and 8.5, carrying a critical CVSS score of 9.3."

A cross-site scripting vulnerability in the administrative console's integrated help system affects IBM WebSphere Application Server 9.0 and 8.5, carrying a critical CVSS score of 9.3.

What Is It

CVE-2026-11708 is a cross-site scripting (XSS) vulnerability (CWE-79) located in the integrated help system of the administrative console in IBM WebSphere Application Server. It was disclosed by IBM's PSIRT and published on June 30, 2026. The flaw is network-exploitable with low attack complexity and requires no privileges, though it does require user interaction (AV:N/AC:L/PR:N/UI:R). Notably, the vulnerability has a scope change (S:C), meaning exploitation can impact resources beyond the vulnerable component.

Why It Matters

Despite being an XSS flaw, this vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.3. The high rating is driven by the combination of network reach, no required privileges, and a changed scope that yields both high confidentiality impact (C:H) and high integrity impact (I:H). Because the flaw resides in the administrative console, successful exploitation could allow an attacker to execute malicious script in the context of a console user, potentially compromising sensitive administrative data or actions across security boundaries.

What's Vulnerable

The following IBM WebSphere Application Server versions are listed as affected:

The vulnerable component is the administrative console's integrated help system.

Patch Status

IBM has published a support advisory addressing this vulnerability (IBM Support node 7278590). Administrators of affected WebSphere Application Server 9.0 and 8.5 deployments should consult IBM's advisory for remediation guidance and apply the vendor-provided fixes. This CVE does not currently appear in the supplied CISA KEV data, and there is no confirmation of active exploitation in the provided source material.

Sources