Websphere Extreme Scale IBM Websphere Extreme Scale

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in IBM Websphere Extreme Scale.

By the Year

In 2026 there have been 4 vulnerabilities in IBM Websphere Extreme Scale with an average score of 6.9 out of ten. Websphere Extreme Scale did not have any published security vulnerabilities last year. That is, 4 more vulnerabilities have already been reported in 2026 as compared to last year.

Year Vulnerabilities Average Score
2026 4 6.88
2025 0 0.00
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 1 5.30
2020 0 0.00
2019 4 4.90

It may take a day or so for new Websphere Extreme Scale vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Websphere Extreme Scale Security Vulnerabilities

IBM WebSphere Extreme Scale 8.6.1.08.6.1.6 RCE via ObjectInputStream (Coherence)
CVE-2026-13759 7.5 - High - June 30, 2026

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

Marshaling, Unmarshaling

IBM WAS 8.6.1.x OQL Class.forName Constructor Exec
CVE-2026-13772 7.5 - High - June 30, 2026

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

Reflection Injection

IBM WebS. Extreme Scale 8.6.1.0-8.6.1.6: ogclient.jar CORBA SSRF RCE
CVE-2026-13773 6 - Medium - June 30, 2026

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

SSRF

Denial of Service via XDF Decoder in IBM WebSphere Extreme Scale 8.6.1.08.6.1.6
CVE-2026-9002 6.5 - Medium - June 30, 2026

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.

Resource Exhaustion

IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters
CVE-2020-4336 5.3 - Medium - January 06, 2021

IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 177932.

Information Disclosure

IBM WebSphere eXtreme Scale 8.6 Admin Console is vulnerable to cross-site scripting
CVE-2019-4106 4.8 - Medium - September 30, 2019

IBM WebSphere eXtreme Scale 8.6 Admin Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158099.

XSS

IBM WebSphere eXtreme Scale 8.6 Admin Console could allow a remote attacker to hijack the clicking action of the victim
CVE-2019-4109 6.1 - Medium - September 30, 2019

IBM WebSphere eXtreme Scale 8.6 Admin Console could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 158102.

Clickjacking

IBM WebSphere eXtreme Scale 8.6 Admin Console allows web pages to be stored locally which can be read by another user on the system
CVE-2019-4112 3.3 - Low - September 30, 2019

IBM WebSphere eXtreme Scale 8.6 Admin Console allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 158105.

Improper Privilege Management

IBM WebSphere eXtreme Scale 8.6 Admin API is vulnerable to cross-site scripting
CVE-2019-4115 5.4 - Medium - September 30, 2019

IBM WebSphere eXtreme Scale 8.6 Admin API is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158113.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for IBM Websphere Extreme Scale or by IBM? Click the Watch button to subscribe.

IBM
Vendor

subscribe