IBM WebSphere Web Server Plug-in RCE (7.3-7.6)
CVE-2026-8858 Published on June 22, 2026
IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in.
Vulnerability Analysis
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-8858 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-8858
Want to know whenever a new CVE is published for IBM I? stack.watch will email you.
Affected Versions
IBM i:- Version 7.6.0, <= 1.8.4 is affected.
- Version 7.5.0 is affected.
- Version 7.4.0 is affected.
- Version 7.3.0 is affected.