CVE-2026-9319
Remote Code Execution in IBM WebSphere Application Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | websphere_application_server | 9.0 |
| ibm | websphere_application_server | 8.5 |
| ibm | websphere_application_server | to 8.5 (exc) |
| ibm | websphere_application_server | to 8.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9319 is a critical vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5. It arises from the deserialization of untrusted data via JAX-WS endpoints that use WS-Security. This flaw allows an attacker to potentially execute arbitrary code remotely on the affected system.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution, meaning an attacker could run malicious code on your server without authorization. Given the high CVSS score of 9.0, the impact includes complete compromise of confidentiality, integrity, and availability of the affected system, potentially leading to data breaches, service disruption, or further network compromise.
What immediate steps should I take to mitigate this vulnerability?
IBM recommends applying interim fixes or upgrading to specific fix packs to address the vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5.
No workarounds are currently available, so applying the provided fixes is the immediate mitigation step.
Customers should evaluate the impact of this vulnerability in their environments and prioritize patching accordingly.