How is CVE-2026-11712 exploited?

Network reachability (required): The vulnerable component is exposed over the network, so an attacker must be able to reach the WebSphere administrative console from an external or internal network position. Authentication (not-required): No account or credential is needed to deliver the malicious payload to the targeted user. Victim interaction (required): A victim must follow a crafted link or otherwise interact with attacker-controlled content in their browser for the XSS payload to execute. Attack complexity (info): The exploit is reliable and imposes no special environmental conditions, race conditions, or memory-layout requirements on the attacker.

What is the impact of CVE-2026-11712?

An attacker can read the victim's active session tokens and any sensitive data visible in the administrative console. An attacker can issue state-changing requests within the console on behalf of the victim, including modifying server configuration or user permissions. Because the scope is changed (S:C in the CVSS vector), injected script can interact with resources outside the immediate application origin, widening the attack surface beyond the console itself.

Back to search

CRITICALCVE-2026-11712Published 2026-06-30Modified 2026-06-30CNA ibm

CVE-2026-11712: IBM WebSphere Application Server is affected by a cross-site scripting vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A cross-site scripting (XSS) vulnerability affects the administrative console help system in IBM WebSphere Application Server versions 9.0 and 8.5. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page, derived from the CVSS vector (AV:N, PR:N, UI:R). Successful exploitation gives an attacker full read and write access to content in the victim's browser session, scoped to the administrative console origin. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment IBM publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-11712 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including internally built images that package WebSphere Application Server 9.0 or 8.5.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.3 (Critical) and weighting that score against each environment's compliance policy to produce a prioritized finding, which is then routed to the appropriate team inbox within the customer org.

Available

Patch

Because IBM has not yet published a fix version, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, so an attacker must be able to reach the WebSphere administrative console from an external or internal network position.
AuthenticationNot required
No account or credential is needed to deliver the malicious payload to the targeted user.
Victim interactionRequired
A victim must follow a crafted link or otherwise interact with attacker-controlled content in their browser for the XSS payload to execute.
Attack complexityDetail
The exploit is reliable and imposes no special environmental conditions, race conditions, or memory-layout requirements on the attacker.

Blast Radius

An attacker can read the victim's active session tokens and any sensitive data visible in the administrative console.
An attacker can issue state-changing requests within the console on behalf of the victim, including modifying server configuration or user permissions.
Because the scope is changed (S:C in the CVSS vector), injected script can interact with resources outside the immediate application origin, widening the attack surface beyond the console itself.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-11712 is active across all connected registries and pipelines, with findings surfaced at Critical (9.3) severity and routed per each customer's compliance policy. Because IBM has not published a fix version as of the CVE publication date, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment upstream releases one. For customers with auto-remediation enabled, that rebuild is followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include restricting network access to the WebSphere administrative console to a trusted management VLAN, applying egress filtering to limit the console's outbound connectivity, and auditing administrative console users to reduce the population of potential victims.

See how HarborGuard automates this

Affected packages

IBM / WebSphere Application Server
9.0 · 8.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

ibm.com

Metrics

Get notified