IBM Http Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Http Server.
By the Year
In 2026 there have been 8 vulnerabilities in IBM Http Server with an average score of 7.8 out of ten. Http Server did not have any published security vulnerabilities last year. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 8 | 7.76 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.50 |
It may take a day or so for new Http Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Http Server Security Vulnerabilities
IBM WebSphere App Server 8.5/9.0 PLUGIN DoS/CodeExec via Improper Validation
CVE-2026-9170
9.8 - Critical
- May 26, 2026
IBM HTTP Server 8.5, and 9.0
Code Injection
IBM HTTP Server 8.5-9.0 InvPtr Deref Authenticated DoS/Info Leak
CVE-2026-8835
7.3 - High
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.
Untrusted Pointer Dereference
IBM HTTP Server 8.5/9.0 Buffer Overflow via Auth Admin
CVE-2026-8834
8 - High
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service.
Heap-based Buffer Overflow
IBM HTTP Server 8.5/9.0 TLS Mutual Auth RCE
CVE-2026-8855
8.1 - High
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
Code Injection
IBM HTTP Server 8.5/9.0 DDoS via mod_mem_cache
CVE-2026-8854
7.5 - High
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
Dangling pointer
IBM HTTP Server 8.5/9.0 DoS via config write access
CVE-2026-8856
7.7 - High
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.
Resource Exhaustion
IBM HTTP Server 8.5/9.0 DoS via mod_fastcgi module
CVE-2026-8852
6.2 - Medium
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.
assertion failure
IBM HTTP Server 8.5 & 9.0 - mod_ibm_upload Denial of Service
CVE-2026-8850
7.5 - High
- May 26, 2026
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.
NULL Pointer Dereference
IBM GSKit Timing Side-Channel RSA Decrypt Remote Leak
CVE-2023-32342
7.5 - High
- May 30, 2023
IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828.
Side Channel Attack
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components
CVE-2006-3918
- July 28, 2006
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31
CVE-2004-0492
- August 06, 2004
Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.
The ap_get_mime_headers_core function in Apache httpd 2.0.49
CVE-2004-0493
- August 06, 2004
The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.
The Apache 1.3.x HTTP server for Windows platforms
CVE-2000-0505
- May 31, 2000
The Apache 1.3.x HTTP server for Windows platforms allows remote attackers to list directory contents by requesting a URL containing a large number of / characters.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Http Server or by IBM? Click the Watch button to subscribe.
