CVE-2025-12635

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.0%

top 84.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server IBM Websphere Application Server Liberty

Timeline

PublishedDec 8

Latest updateDec 9

Description

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5ibm/websphere_application_server_liberty17.0.0.3 — 25.0.0.12

▶NVDibm/websphere_application_server8.5 — 8.5.5.29+2

▶CVEListV5ibm/websphere_application_server9.0 — 2.0.18+1

🔴Vulnerability Details

GHSA

GHSA-pmc7-2mv9-jmgx: IBM WebSphere Application Server 8↗2025-12-09

▶

CVEList

IBM WebSphere Application Server and WebSphere Application Server Liberty Cross-Site Scripting↗2025-12-08

▶