CVE-2025-36000

CWE-79 — Cross-site Scripting (XSS)CWE-617 — Reachable Assertion4 documents4 sources

Severity

4.8MEDIUM

EPSS

0.0%

top 95.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server IBM Websphere Application Server Liberty

Timeline

PublishedAug 12

Description

IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5ibm/websphere_application_server_liberty17.0.0.3 — 25.0.0.8

▶NVDibm/websphere_application_server17.0.0.3 — 25.0.0.9

🔴Vulnerability Details

GHSA

GHSA-q75f-gp3w-mr34: IBM WebSphere Application Server Liberty 17↗2025-08-12

▶

CVEList

IBM WebSphere Application Server Liberty cross-site scripting↗2025-08-12

▶

📋Vendor Advisories

Microsoft

mm/hugetlb: fix missing hugetlb_lock for resv uncharge↗2024-05-14

▶