IBM Cognos Analytics/Transformer XSS (12.1.0)
CVE-2025-3633 Published on May 27, 2026
IBM Cognos Analytics is affected by multiple security vulnerabilities
IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
Vulnerability Analysis
CVE-2025-3633 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-3633 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-3633
stack.watch emails you whenever new vulnerabilities are published in IBM Cognos Analytics or IBM Cognos Transformer. Just hit a watch button to start following.
Affected Versions
IBM Cognos Analytics:- Version 11.2.0 is affected.
- Version 12.0 is affected.
- Version 12.1.0 is affected.
- Version 12.0 is affected.
- Version 11.2.4 is affected.
- Version 12.1.0 is affected.