IBM WebSphere Application Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM WebSphere Application Server.
By the Year
In 2026 there have been 2 vulnerabilities in IBM WebSphere Application Server with an average score of 6.0 out of ten. Last year, in 2025 WebSphere Application Server had 11 security vulnerabilities published. Right now, WebSphere Application Server is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.41
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 6.00 |
| 2025 | 11 | 6.41 |
| 2024 | 19 | 6.43 |
| 2023 | 8 | 6.39 |
| 2022 | 11 | 6.41 |
| 2021 | 8 | 5.90 |
| 2020 | 22 | 7.26 |
| 2019 | 18 | 5.92 |
| 2018 | 24 | 0.00 |
It may take a day or so for new WebSphere Application Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM WebSphere Application Server Security Vulnerabilities
IBM WebSphere Application Server 9.0/8.5 Weak Security Admin (CVE-2025-13333)
CVE-2025-13333
4.4 - Medium
- February 17, 2026
IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings.
Improperly Implemented Security Check for Standard
IBM WAS Liberty 17.0.0.3-26.0.0.1 ZIP Path Traversal Arbitrary Code Execution
CVE-2025-14914
7.6 - High
- February 02, 2026
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution.
Directory traversal
IBM WebSphere App Server 8.5/9.0 & Lib 17.0.0.3-25.0.0.12 XSS URL Redirect
CVE-2025-12635
5.4 - Medium
- December 08, 2025
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.
XSS
IBM WebSphere AS 8.5/9.0 DoS via Memory Exhaustion
CVE-2025-36099
4.9 - Medium
- September 29, 2025
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A privileged user could exploit this vulnerability to cause the server to consume memory resources.
Allocation of Resources Without Limits or Throttling
IBM WAS Liberty 18.0.0.2–25.0.0.8 DOS via memory exhaustion
CVE-2025-36047
5.3 - Medium
- August 14, 2025
IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Allocation of Resources Without Limits or Throttling
IBM WebSphere AS 8.5/9.0 TLS Weak Cipher Suite
CVE-2025-33142
7.5 - High
- August 14, 2025
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for TLS connections.
Improper Certificate Validation
IBM WebSphere Liberty 17.0.0.3-25.0.0.8 Stored XSS via Web UI
CVE-2025-36000
4.8 - Medium
- August 12, 2025
IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM WebSphere Liberty JMS Config Ignorance 17.0.0.3-25.0.0.8
CVE-2025-36124
7.5 - High
- August 12, 2025
IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration
Privilege Chaining
IBM WebSphere App Server Config Bypass (9.0, 17.0.0.3-25.0.0.7)
CVE-2024-56339
7.5 - High
- August 07, 2025
IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration.
IBM WebSphere App Server DoS via Stack Overflow (before 25.0.0.7)
CVE-2025-36097
7.5 - High
- July 16, 2025
IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 are vulnerable to a denial of service, caused by a stack-based overflow. An attacker can send a specially crafted request that cause the server to consume excessive memory resources.
Stack Overflow
RCE via Serialized Objects in IBM WebSphere App Server 8.5 & 9.0
CVE-2025-36038
9.8 - Critical
- June 25, 2025
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.
Marshaling, Unmarshaling
IBM WebSphere Application Server 8.5/9.0 XSS in Web UI
CVE-2025-33104
7.6 - High
- May 14, 2025
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
SSRF Vulnerability in IBM WebSphere App Server 8.5/9.0
CVE-2025-27907
2.7 - Low
- April 22, 2025
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
SSRF
IBM WebSphere Application Server 8.5/9.0 XSS Vulnerability in Web UI
CVE-2024-45087
4.8 - Medium
- November 11, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM WebSphere XXE Injection Vulnerability
CVE-2024-45086
5.5 - Medium
- November 04, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.
XXE
IBM WebSphere App Server 8.5/9.0 XXE Vulnerable XML Parser
CVE-2024-45072
5.5 - Medium
- October 16, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.
XXE
IBM WebSphere App Server 8.5/9.0 XSS via Web UI (CVE-2024-45071)
CVE-2024-45071
4.8 - Medium
- October 16, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM WebSphere App Server 8.5 DoS via crafted request
CVE-2024-45085
7.5 - High
- October 15, 2024
IBM WebSphere Application Server 8.5 is vulnerable to a denial of service, under certain configurations, caused by an unexpected specially crafted request. A remote attacker could exploit this vulnerability to cause an error resulting in a denial of service.
Improper Check for Unusual or Exceptional Conditions
Stored XSS in IBM WebSphere App Server 8.5/9.0 Web UI
CVE-2024-45073
4.8 - Medium
- September 30, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM WAS Liberty 17-24.0.0.8 Spoofing via Trusted Cert
CVE-2023-50314
7.5 - High
- August 14, 2024
IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
IBM WebSphere App Server 8.5/9.0: X.509 cert spoofing allows network spoof
CVE-2023-50315
5.9 - Medium
- August 14, 2024
IBM WebSphere Application Server 8.5 and 9.0 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274714.
Improper Certificate Validation
IBM WAS 8.5/9.0 RCE via Auth'd Admin Console
CVE-2024-35154
7.2 - High
- July 09, 2024
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641.
Execution with Unnecessary Privileges
XSS in IBM WebSphere Application Server Web UI 8.5/9.0
CVE-2024-35153
4.8 - Medium
- June 27, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 292640.
XSS
IBM WebSphere App Server 8.5/9.0 Identity Spoofing via Improper Sig Val
CVE-2024-37532
8.8 - High
- June 20, 2024
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to identity spoofing by an authenticated user due to improper signature validation. IBM X-Force ID: 294721.
Improper Verification of Cryptographic Signature
IBM WebSphere Server 8.5/9.0/Liberty 17.0.0.3-24.0.0.4 DoS via crafted request
CVE-2024-25026
7.5 - High
- April 25, 2024
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 281516.
Allocation of Resources Without Limits or Throttling
SSRF in IBM WebSphere App Server 8.5/9.0 & Liberty 17.0.0.3-24
CVE-2024-22329
- April 17, 2024
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID: 279951.
IBM WebSphere 8.5-24 XXE Injection (XML External Entity Attack)
CVE-2024-22354
7 - High
- April 17, 2024
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
XXE
IBM WebSphere App Server Liberty 18.0.0.2-24.0.0.4 DoS via crafted request
CVE-2024-27268
7.5 - High
- April 04, 2024
IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 284574.
Allocation of Resources Without Limits or Throttling
IBM WAS 8.5/9.0 TLS Config Failure Weak Outbound Security
CVE-2023-50313
6.5 - Medium
- April 02, 2024
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274812.
Use of a Broken or Risky Cryptographic Algorithm
IBM WebSphere App Server Liberty DoS via Crafted Request 17.0.0.3-24.0.0.4
CVE-2024-22353
7.5 - High
- March 31, 2024
IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 280400.
Allocation of Resources Without Limits or Throttling
IBM WebSphere AppSrv Liberty 23-24 XSS via crafted URI
CVE-2024-27270
6.1 - Medium
- March 27, 2024
IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576.
XSS
IBM WebSphere Liberty 1724 TLS Config Downgrade Vulnerability
CVE-2023-50312
6.5 - Medium
- March 01, 2024
IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274711.
Use of a Broken or Risky Cryptographic Algorithm
IBM WebSphere App Server Liberty 22.0.0.1323.0.0.7 DoS via Crafted Request
CVE-2023-38737
7.5 - High
- August 16, 2023
IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 262567.
Resource Exhaustion
IBM WebSphere App Server 8.5/9.0: weak security due to local config encoding
CVE-2023-35890
5.5 - Medium
- July 07, 2023
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.
Use of a Broken or Risky Cryptographic Algorithm
IBM WebSphere App Server 8.5/9.0 XXE Vulnerability in XML Parser
CVE-2023-27554
6.3 - Medium
- May 11, 2023
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185.
XXE
Spoofing via MITM in IBM WAS 7.0-9.0 with WebServer Plug-ins (auth)
CVE-2022-39161
5.3 - Medium
- May 03, 2023
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and IBM WebSphere Application Server Liberty, when configured to communicate with the Web Server Plug-ins for IBM WebSphere Application Server, could allow an authenticated user to conduct spoofing attacks. A man-in-the-middle attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 235069.
Improper Certificate Validation
IBM Runtime Java EE: IBMJCEPlus & JSSE 8.0.7.x Sensitive Info Leak
CVE-2023-30441
7.5 - High
- April 29, 2023
IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188.
IBM WebSphere App Server 8.5-9.0 XSS via Web UI leads to credential disclosure
CVE-2023-24966
6.1 - Medium
- April 27, 2023
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 246904.
XSS
CrossSite Scripting in IBM WebSphere AppServer 9.0 Web UI
CVE-2023-26283
5.4 - Medium
- April 02, 2023
IBM WebSphere Application Server 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 248416.
XSS
Weaker crypto keys in IBM WebSphere App Server 8.5/9.0 container allow decrypt
CVE-2022-43917
7.5 - High
- January 26, 2023
IBM WebSphere Application Server 8.5 and 9.0 traditional container uses weaker than expected cryptographic keys that could allow an attacker to decrypt sensitive information. This affects only the containerized version of WebSphere Application Server traditional. IBM X-Force ID: 241045.
Use of a Broken or Risky Cryptographic Algorithm
IBM WAS 8.5/9.0 XSS in Web UI Exploitable
CVE-2022-40750
5.4 - Medium
- November 11, 2022
IBM WebSphere Application Server 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236588.
XSS
MITM SOAPAction Spoofing in IBM WebSphere App Server 7.0-9.0 Web Services
CVE-2022-38712
5.9 - Medium
- November 03, 2022
"IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Web services could allow a man-in-the-middle attacker to conduct SOAPAction spoofing to execute unwanted or unauthorized operations. IBM X-Force ID: 234762."
Authentication Bypass by Spoofing
SSRF in IBM WebSphere Application Server (v7.09.0)
CVE-2022-35282
6.5 - Medium
- September 28, 2022
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker with local network access could exploit this vulnerability to obtain sensitive data.
SSRF
IBM WAS 7-9.0 Web UI XSS (CVE-2022-34336)
CVE-2022-34336
5.4 - Medium
- September 13, 2022
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229714.
XSS
HTTP Header Injection in IBM WebSphere AS & Liberty (Cache Poisoning, XSS)
CVE-2022-34165
5.4 - Medium
- September 09, 2022
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429.
Injection
IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request
CVE-2022-22476
8.8 - High
- July 08, 2022
IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
Authentication Bypass by Spoofing
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by
CVE-2022-22365
5.9 - Medium
- May 20, 2022
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL server hostnames. IBM X-Force ID: 220904.
IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user
CVE-2022-22475
6.5 - Medium
- May 17, 2022
IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603.
IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could
CVE-2022-22393
6.5 - Medium
- May 13, 2022
IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server. IBM X-Force ID: 222078.
IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could
CVE-2021-39038
5.4 - Medium
- February 24, 2022
IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968.
Clickjacking
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM WebSphere Application Server or by IBM? Click the Watch button to subscribe.
