CVE-2025-66486
HTML Injection in IBM Aspera Shares 1.9.9β1.11.0 Enables Remote Attack
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | aspera_shares | From 1.9.9 (inc) to 1.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
IBM Aspera Shares versions 1.9.9 through 1.11.0 contain a vulnerability known as HTML injection. This means a remote attacker can insert malicious HTML code into the application. When a victim views this injected content in their web browser, the malicious code executes within the security context of the hosting site.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious HTML code in the victim's browser, potentially leading to unauthorized actions or data exposure within the context of the affected site. The CVSS score indicates that the attack can be performed remotely with low attack complexity but requires high privileges and user interaction. The impact includes limited confidentiality and integrity loss but no availability impact.