SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-11712 2026-06-30

IBM WebSphere Application Server Hit by Critical XSS Flaw (CVE-2026-11712)

"A cross-site scripting vulnerability in the IBM WebSphere Application Server administrative console help system carries a critical CVSS 9.3 rating and affects versions 9.0 and 8.5."

A cross-site scripting vulnerability in the IBM WebSphere Application Server administrative console help system carries a critical CVSS 9.3 rating and affects versions 9.0 and 8.5.

What Is It

CVE-2026-11712 is a cross-site scripting (XSS) vulnerability, classified as CWE-79, in the administrative console help system of IBM WebSphere Application Server. The flaw is reachable over the network (AV:N) with low attack complexity and requires no privileges, but does require user interaction (UI:R) to trigger. Its scope is marked as Changed (S:C), meaning successful exploitation can affect resources beyond the initially vulnerable component. IBM's PSIRT is the assigning source and assessed the issue with a CVSS 3.1 base score of 9.3, rated CRITICAL.

Why It Matters

The vulnerability delivers high impact to both confidentiality and integrity (C:H/I:H), with no direct availability impact (A:N). Because the affected component is the administrative console, exploitation targets an interface used to manage the application server. The combination of network reach, no required privileges, and the Changed scope drives the elevated severity score. Note: the supplied CISA KEV data is empty, so there is no confirmation of active exploitation in the wild for this CVE at this time.

What's Vulnerable

Per the NVD record, the affected product is IBM WebSphere Application Server, specifically:

The vulnerable functionality is the help system within the administrative console.

Patch Status

IBM has published a security advisory for this issue at its support portal (node 7278590). Administrators running the affected 9.0 and 8.5 versions should consult that advisory for remediation guidance and apply the fixes IBM provides. No CISA KEV due-date or required-action directive is present in the supplied source material.

Sources