Ibm Websphere Application Server — known CVE vulnerabilities
Every CVE whose affected-product data names Ibm Websphere Application Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (200)
CVE-2006-5323 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server before 6.1.0.2 has unspecified impact and attack vectors, related to a…
CVE-2006-3232 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server before 6.0.2.11 has unknown impact and attack vectors because the…
CVE-2010-3186 — CVSS 10.0 (critical): IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through…
CVE-2000-0848 — CVSS 10.0 (critical): Buffer overflow in IBM WebSphere web application server (WAS) allows remote attackers to execute arbitrary commands via a long Host…
CVE-2008-0389 — CVSS 10.0 (critical): Unspecified vulnerability in the serveServletsByClassnameEnabled feature in IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.25…
CVE-2007-6679 — CVSS 10.0 (critical): Unspecified vulnerability in the Administrative Console in IBM WebSphere Application Server 6.1 before Fix Pack 13 has unknown impact and…
CVE-2010-0425 — CVSS 10.0 (critical): modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7…
CVE-2011-1377 — CVSS 10.0 (critical): The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphere Application Server (WAS) 6.1 does…
CVE-2008-3235 — CVSS 10.0 (critical): Unspecified vulnerability in the PropFilePasswordEncoder utility in the Security component in IBM WebSphere Application Server (WAS) 5.1…
CVE-2012-5955 — CVSS 10.0 (critical): Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows remote attackers…
CVE-2013-0462 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown impact and attack…
CVE-2008-4283 — CVSS 10.0 (critical): CRLF injection vulnerability in the WebContainer component in IBM WebSphere Application Server (WAS) 5.1.1.19 and earlier 5.1.x versions…
CVE-2008-2221 — CVSS 10.0 (critical): Unspecified vulnerability in the Java plugin in IBM WebSphere Application Server 5.0.2 allows untrusted applets to gain privileges via…
CVE-2013-1777 — CVSS 10.0 (critical): The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition…
CVE-2007-5483 — CVSS 10.0 (critical): Unspecified vulnerability in the Administrative Scripting Tools (such as wsadmin or ANT) in IBM WebSphere Application Server 5.x and 6.0.x…
CVE-2007-3264 — CVSS 10.0 (critical): Unspecified vulnerability in the PD tools component in IBM WebSphere Application Server (WAS) 6.1.0.7 and earlier has unknown impact and…
CVE-2007-3263 — CVSS 10.0 (critical): Unspecified vulnerability in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1.0.7 and earlier has unknown…
CVE-2015-1920 — CVSS 10.0 (critical): IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.5.5.6 allows remote…
CVE-2008-5412 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows has unknown impact and attack vectors…
CVE-2006-7198 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server (WAS) before 5.1.1.14, and WAS for z/OS 601 before 6.0.2.13, has unknown…
CVE-2008-5414 — CVSS 10.0 (critical): Unspecified vulnerability in the Feature Pack for Web Services in the Web Services Security component in IBM WebSphere Application Server…
CVE-2006-6636 — CVSS 10.0 (critical): Unspecified vulnerability in the Utility Classes for IBM WebSphere Application Server (WAS) before 5.1.1.13 and 6.x before 6.0.2.17 has…
CVE-2009-1901 — CVSS 10.0 (critical): The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has…
CVE-2008-0741 — CVSS 10.0 (critical): Unspecified vulnerability in the PropFilePasswordEncoder utility in IBM WebSphere Application Server (WAS) before 6.0.2 Fix Pack 25…
CVE-2006-2429 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server 6.0.2, 6.0.2.1, 6.0.2.3, 6.0.2.5, and 6.0.2.7 has unknown impact and remote…
CVE-2006-2430 — CVSS 10.0 (critical): IBM WebSphere Application Server 5.0.2 and earlier, 5.1.1 and earlier, and 6.0.2 up to 6.0.2.7 records user credentials in plaintext in…
CVE-2009-1899 — CVSS 10.0 (critical): Unspecified vulnerability in the Administrative Configservice API in the System Management/Repository component in IBM WebSphere…
CVE-2009-1174 — CVSS 10.0 (critical): The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 and 7.0 before 7.0.0.3 has an…
CVE-2006-2433 — CVSS 10.0 (critical): Unspecified vulnerability in IBM WebSphere Application Server 6.0.2, 6.0.2.1, 6.0.2.3, 6.0.2.5, and 6.0.2.7 has unknown impact and attack…
CVE-2006-6136 — CVSS 10.0 (critical): IBM WebSphere Application Server 6.1.0 before Fix Pack 3 (6.1.0.3) does not perform EAL4 authentication checks at the proper time during…
CVE-2009-1172 — CVSS 10.0 (critical): The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and…
CVE-2006-6135 — CVSS 10.0 (critical): Multiple unspecified vulnerabilities in IBM WebSphere Application Server 6.1.0 before Fix Pack 3 (6.1.0.3) have unknown impact and attack…
CVE-2011-4889 — CVSS 9.8 (critical): The javax.naming.directory.AttributeInUseException class in the Virtual Member Manager in IBM WebSphere Application Server (WAS) 6.1 before…
CVE-2026-8633 — CVSS 9.8 (critical): IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere…
CVE-2018-1567 — CVSS 9.8 (critical): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP…
CVE-2019-4279 — CVSS 9.8 (critical): IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted…
CVE-2020-4448 — CVSS 9.8 (critical): IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the…
CVE-2020-4450 — CVSS 9.8 (critical): IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a…
CVE-2020-4589 — CVSS 9.8 (critical): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a…
CVE-2026-11712 — CVSS 9.3 (critical): IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.
CVE-2026-11708 — CVSS 9.3 (critical): IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's…
CVE-2008-4111 — CVSS 9.3 (critical): Unspecified vulnerability in Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before…
CVE-2015-1885 — CVSS 9.3 (critical): WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, 8.5 Liberty Profile before…
CVE-2007-3960 — CVSS 9.3 (critical): Multiple unspecified vulnerabilities in IBM WebSphere Application Server (WAS) before Fix Pack 21 (6.0.2.21) have unknown impact and attack…
CVE-2015-5041 — CVSS 9.1 (critical): The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows…
CVE-2025-36038 — CVSS 9.0 (critical): IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted…
CVE-2026-9311 — CVSS 9.0 (critical): IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.
CVE-2026-9319 — CVSS 9.0 (critical): IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via…
CVE-2017-1194 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to…
CVE-2021-39031 — CVSS 8.8 (high): IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP…
CVE-2021-29754 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a privilege escalation vulnerability when using the SAML Web…
CVE-2021-29736 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote user to gain elevated privileges on the system. IBM X-Force…
CVE-2020-4362 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using…
CVE-2020-4534 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the…
CVE-2020-4464 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system…
CVE-2017-1731 — CVSS 8.8 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security when using the Administrative Console…
CVE-2022-22476 — CVSS 8.8 (high): IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated…
CVE-2024-37532 — CVSS 8.8 (high): IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to identity spoofing by an authenticated user due to improper signature…
CVE-2026-9330 — CVSS 8.5 (high): IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the…
CVE-2026-11714 — CVSS 8.5 (high): IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the…
CVE-2026-11594 — CVSS 8.5 (high): IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console.
CVE-2015-1882 — CVSS 8.5 (high): Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 allow remote authenticated users to…
CVE-2021-20492 — CVSS 8.2 (high): IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when…
CVE-2021-20453 — CVSS 8.2 (high): IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data…
CVE-2020-4949 — CVSS 8.2 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML…
CVE-2021-20353 — CVSS 8.2 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML…
CVE-2021-20454 — CVSS 8.2 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML…
CVE-2017-1137 — CVSS 8.1 (high): IBM WebSphere Application Server 8.0 and 8.5.5 could provide weaker than expected security. A remote attacker could exploit this weakness…
CVE-2023-23477 — CVSS 8.1 (high): IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a…
CVE-2018-1904 — CVSS 8.1 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an…
CVE-2017-1151 — CVSS 8.1 (high): IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID Connect (OIDC) configured with a Trust Association Interceptor (TAI)…
CVE-2007-3262 — CVSS 7.8 (high): Unspecified vulnerability in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1.0.7 and earlier allows remote…
CVE-2008-4678 — CVSS 7.8 (high): The HTTP_Request_Parser method in the HTTP Transport component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 allows…
CVE-2009-2744 — CVSS 7.8 (high): Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of…
CVE-2013-3024 — CVSS 7.8 (high): IBM WebSphere Application Server (WAS) 8.5 through 8.5.0.2 on UNIX allows local users to gain privileges by leveraging improper process…
CVE-2009-0391 — CVSS 7.8 (high): Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0.1 on z/OS allows attackers to read arbitrary files via unknown…
CVE-2005-3760 — CVSS 7.8 (high): Double free vulnerability in the BBOORB module in IBM WebSphere Application Server for z/OS 5.0 allows attackers to cause a denial of…
CVE-2025-14914 — CVSS 7.6 (high): IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path…
CVE-2019-4720 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted…
CVE-2006-5324 — CVSS 7.5 (high): The Web Services Notification (WSN) security component of IBM WebSphere Application Server before 6.1.0.2 allows attackers to obtain…
CVE-2019-4269 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console could allow a remote attacker to obtain sensitive information when a…
CVE-2019-4046 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request…
CVE-2011-1309 — CVSS 7.5 (high): The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has…
CVE-2000-0497 — CVSS 7.5 (high): IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP…
CVE-2023-30441 — CVSS 7.5 (high): IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information…
CVE-2006-4136 — CVSS 7.5 (high): Multiple unspecified vulnerabilities in IBM WebSphere Application Server before 6.1.0.1 have unspecified impact and attack vectors…
CVE-2009-0508 — CVSS 7.5 (high): The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1…
CVE-2006-2436 — CVSS 7.5 (high): WebSphere Application Server 5.0.2 (or any earlier cumulative fix) stores admin and LDAP passwords in plaintext in the FFDC logs when a…
CVE-2010-1182 — CVSS 7.5 (high): Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS…
CVE-2010-2324 — CVSS 7.5 (high): IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via…
CVE-2016-9879 — CVSS 7.5 (high): An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not…
CVE-2016-8919 — CVSS 7.5 (high): IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to…
CVE-2009-0903 — CVSS 7.5 (high): IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a…
CVE-2016-5986 — CVSS 7.5 (high): IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty…
CVE-2016-5983 — CVSS 7.5 (high): IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty…
CVE-2016-2945 — CVSS 7.5 (high): The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2…
CVE-2006-2432 — CVSS 7.5 (high): IBM WebSphere Application Server 5.0.2 (or any earlier cumulative fix) and 5.1.1 (or any earlier cumulative fix) allows EJB access on…
CVE-2016-2923 — CVSS 7.5 (high): IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a…
CVE-2025-36097 — CVSS 7.5 (high): IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 are vulnerable to a denial of…
CVE-2006-2342 — CVSS 7.5 (high): IBM WebSphere Application Server 6.0.2 before FixPack 3 allows remote attackers to bypass authentication for the Welcome Page via a request…
CVE-2009-2085 — CVSS 7.5 (high): The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of…
CVE-2005-1872 — CVSS 7.5 (high): Buffer overflow in the administrative console in IBM WebSphere Application Server 5.x, when the global security option is enabled, allows…
CVE-2021-20354 — CVSS 7.5 (high): IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories. An attacker could send a…
CVE-2020-4449 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a…
CVE-2007-1945 — CVSS 7.5 (high): Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact…
CVE-2007-1608 — CVSS 7.5 (high): CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP…
CVE-2021-38951 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted…
CVE-2020-4276 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using…
CVE-2012-4850 — CVSS 7.5 (high): IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1, when JAX-RS is used, does not properly validate requests, which allows…
CVE-2001-0962 — CVSS 7.5 (high): IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain…
CVE-2001-0824 — CVSS 7.5 (high): Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the…
CVE-2026-9071 — CVSS 7.5 (high): IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a…
CVE-2020-4576 — CVSS 7.5 (high): IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a…
CVE-2020-4643 — CVSS 7.5 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML…
CVE-2009-2088 — CVSS 7.5 (high): The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when…
CVE-2026-3621 — CVSS 7.5 (high): IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity…
CVE-2007-4839 — CVSS 7.5 (high): Unspecified vulnerability in the PD tools component in IBM WebSphere Application Server (WAS) 6.1 before Fix Pack 11 (6.1.0.11) has unknown…
CVE-2009-2092 — CVSS 7.5 (high): IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in…
CVE-2026-8620 — CVSS 7.5 (high): IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere…
CVE-2026-11541 — CVSS 7.4 (high): IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an…
CVE-2026-9006 — CVSS 7.4 (high): IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may…
CVE-2026-8646 — CVSS 7.4 (high): IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to…
CVE-2018-1695 — CVSS 7.3 (high): IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing…
CVE-2026-10845 — CVSS 7.3 (high): IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS…
CVE-2018-1851 — CVSS 7.3 (high): IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by…
CVE-1999-0852 — CVSS 7.2 (high): IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.
CVE-2009-0436 — CVSS 7.2 (high): The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere…
CVE-2020-4163 — CVSS 7.2 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a…
CVE-2024-35154 — CVSS 7.2 (high): IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative…
CVE-2026-11806 — CVSS 7.2 (high): IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the…
CVE-2018-1905 — CVSS 7.1 (high): IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML…
CVE-2014-0964 — CVSS 7.1 (high): IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 allows remote attackers to cause a denial of…
CVE-2017-1382 — CVSS 7.1 (high): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create files using the default permissions instead of the customized…
CVE-2014-4764 — CVSS 7.1 (high): IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3, when Load Balancer for IPv4 Dispatcher is enabled…
CVE-2026-11546 — CVSS 7.1 (high): IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the…
CVE-2024-22354 — CVSS 7.0 (high): IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML…
CVE-2013-4053 — CVSS 6.8 (medium): The WS-Security implementation in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.31, 8.0 before 8.0.0.8, and…
CVE-2013-3029 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before…
CVE-2008-4679 — CVSS 6.8 (medium): The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when…
CVE-2013-0543 — CVSS 6.8 (medium): IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux…
CVE-2011-1683 — CVSS 6.8 (medium): IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x before 7.0.0.17 on z/OS, when a Local OS…
CVE-2011-1320 — CVSS 6.8 (medium): The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15, when the Tivoli…
CVE-2010-3271 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM…
CVE-2009-2746 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server…
CVE-2012-4853 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Application Server 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before…
CVE-2015-1927 — CVSS 6.8 (medium): The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 before 8.0.0.11, and 8.5 before 8.5.5.6…
CVE-2012-3306 — CVSS 6.8 (medium): IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1, when…
CVE-2012-3304 — CVSS 6.8 (medium): The Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5…
CVE-2012-2162 — CVSS 6.8 (medium): The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of…
CVE-2013-0460 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in the portlet subsystem in the administrative console in IBM WebSphere Application Server…
CVE-2025-14917 — CVSS 6.7 (medium): IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than…
CVE-2021-20480 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted…
CVE-2020-5016 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. When…
CVE-2020-4782 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker…
CVE-2014-4767 — CVSS 6.5 (medium): IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature…
CVE-2015-0110 — CVSS 6.5 (medium): IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated…
CVE-2025-14915 — CVSS 6.5 (medium): IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege…
CVE-2009-0906 — CVSS 6.5 (medium): The Service Component Architecture (SCA) feature pack for IBM WebSphere Application Server (WAS) SCA 1.0 before 1.0.0.3 allows remote…
CVE-2017-1504 — CVSS 6.5 (medium): IBM WebSphere Application Server version 9.0.0.4 could provide weaker than expected security after using the PasswordUtil command to enable…
CVE-2018-1770 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker…
CVE-2019-4080 — CVSS 6.5 (medium): IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper…
CVE-2022-35282 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted…
CVE-2019-4477 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information…
CVE-2019-4670 — CVSS 6.5 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper…
CVE-2019-4732 — CVSS 6.5 (medium): IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a…
CVE-2022-22475 — CVSS 6.5 (medium): IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated…
CVE-2022-22393 — CVSS 6.5 (medium): IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could allow an…
CVE-2022-22310 — CVSS 6.5 (medium): IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security. A remote attacker could…
CVE-2011-1321 — CVSS 6.5 (medium): The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x…
CVE-2020-4590 — CVSS 6.5 (medium): IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is…
CVE-2009-0904 — CVSS 6.4 (medium): The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly…
CVE-2006-1093 — CVSS 6.4 (medium): Unspecified vulnerability in IBM WebSphere 5.0.2.10 through 5.0.2.15 and 5.1.1.4 through 5.1.1.9 allows remote attackers to obtain…
CVE-2006-2435 — CVSS 6.4 (medium): Unspecified vulnerability in IBM WebSphere Application Server 5.0.2 and earlier, and 5.1.1 and earlier, has unknown impact and attack…
CVE-2009-2749 — CVSS 6.4 (medium): Feature Pack for Communications Enabled Applications (CEA) before 1.0.0.1 for IBM WebSphere Application Server 7.0.0.7 uses predictable…
CVE-2012-3305 — CVSS 6.4 (medium): Directory traversal vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5…
CVE-2019-4304 — CVSS 6.3 (medium): IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session…
CVE-2023-27554 — CVSS 6.3 (medium): IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A…
CVE-2018-1797 — CVSS 6.3 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse…
CVE-2009-0506 — CVSS 6.2 (medium): Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1 and 6.0.2 before 6.0.2.33 on z/OS, when CSIv2 Identity Assertion is…
CVE-2020-4575 — CVSS 6.1 (medium): IBM WebSphere Application Server ND 8.5 and 9.0, and IBM WebSphere Virtual Enterprise 7.0 and 8.0 are vulnerable to cross-site scripting…
CVE-2020-4304 — CVSS 6.1 (medium): IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users…
CVE-2020-4303 — CVSS 6.1 (medium): IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users…
CVE-2022-22477 — CVSS 6.1 (medium): IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary…
CVE-2023-24966 — CVSS 6.1 (medium): IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary…
CVE-2018-1798 — CVSS 6.1 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed…
CVE-2018-1794 — CVSS 6.1 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ear is vulnerable to cross-site scripting. This vulnerability allows…
CVE-2018-1793 — CVSS 6.1 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using SAML ear is vulnerable to cross-site scripting. This vulnerability allows…
CVE-2018-1767 — CVSS 6.1 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor is vulnerable to cross-site scripting. This vulnerability allows users…
CVE-2018-1643 — CVSS 6.1 (medium): The Installation Verification Tool of IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This…
CVE-2017-1503 — CVSS 6.1 (medium): IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit…
CVE-2016-0359 — CVSS 6.1 (medium): CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10…
CVE-2016-0283 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM WebSphere Application Server (WAS)…
CVE-2011-1311 — CVSS 6.0 (medium): The Security component in IBM WebSphere Application Server (WAS) before 7.0.0.15, when a J2EE 1.4 application is used, determines the…
CVE-2012-3325 — CVSS 6.0 (medium): IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.5, and 8.5.x Full Profile before…
CVE-2018-1840 — CVSS 6.0 (medium): IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to gain elevated privileges on the system, caused when a…
CVE-2010-0785 — CVSS 6.0 (medium): Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35…
CVE-2015-1936 — CVSS 6.0 (medium): The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security…
CVE-2014-4816 — CVSS 6.0 (medium): Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.x through…