Remote Code Exec in IBM WebSphere WebServer Plugin (IBM i 7.37.6)
CVE-2026-9072 Published on June 22, 2026
IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.
Vulnerability Analysis
CVE-2026-9072 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-9072 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-9072
Want to know whenever a new CVE is published for IBM I? stack.watch will email you.
Affected Versions
IBM i:- Version 7.6.0, <= 1.8.4 is affected.
- Version 7.5.0 is affected.
- Version 7.4.0 is affected.
- Version 7.3.0 is affected.