IBM WebSphere Application Server RCE Vulnerabilities Advisory (CVE-2026-9311/9330)

Vulnerability Overview IBM WebSphere Application Server is affected by a remote code execution vulnerability (CVE-2026-9311, CVE-2026-9330). Scope of Impact CVE-2026-9311: IBM WebSphere Application Server is vulnerable to remote code execution due to a bypass of security controls. CVE-2026-9330: IBM WebSphere Application Server is vulnerable to remote code execution because user-supplied data is not properly validated during deserialization when using the SAML Web Single Sign-On component. Remediation IBM strongly recommends applying the currently available interim fix or fix pack that addresses APAR PH71453 immediately. For IBM WebSphere Application Server traditional: - For V9.0.0.0 to 9.0.5.28: - Upgrade to the required interim fix level, and then apply the interim fix addressing PH71453. - Alternatively, apply Fix Pack 9.0.5.29 or later (target availability in Q3 2026). - For V8.5.0.0 to 8.5.5.29: - Upgrade to the required interim fix level, and then apply the interim fix addressing PH71453. - Alternatively, apply Fix Pack 8.5.5.30 or later (target availability in Q3 2026). Additional Information Affected Products and Versions: - IBM WebSphere Application Server 9.0 - IBM WebSphere Application Server 8.5 Workarounds and Mitigations: None Reference Links: - Complete CVSS v3 Guide - On-line Vulnerability v3 Related Information: - IBM Secure Engineering Web Portal - IBM Product Security Incident Response Blog Change History: - June 1, 2026: Initial release Disclaimer: - In accordance with the definition by the FIRST organization, CVSS scores are provided "as is," and IBM assumes no responsibility for any express or implied warranties. Customers must evaluate the impact of the vulnerability on their own environments. Code Blocks No POC code or exploit code is included in this page.

Goal Reached Thanks to every supporter — we hit 100%!

IBM WebSphere Application Server RCE Vulnerabilities Advisory (CVE-2026-9311/9330)

More from this source