CVE-2026-5935 PUBLISHED

TSSC/IMC is vulnerable to OS Command Injection

Assigner: ibm
Reserved: 09.04.2026 Published: 22.04.2026 Updated: 22.04.2026

IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 7.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	IBM
Product	Total Storage Service Console (TSSC) / TS4500 IMC
Versions	affected from 9.2.0 to 9.6.0 (incl.)

Solutions

Affected Product(s)Version(s)Remediation/Fix/InstructionsTotal Storage Service Console (TSSC) / TS4500 IMC9.4.14, 9.4.21, 9.4.26, 9.6.10, 9.5.8,Upgrade to 9.4.31/9.6.15

Download patch 9.X.X_FixOSCommandInjection_2026-04-06 or 9.X.X_FixOSCommandInjection_2026-04-06 and execute on TSSC/IMC system.

Please see instructions below.

Total Storage Service Console (TSSC) / TS4500 IMC9.4.31, 9.6.15Download patch 9.X.X_FixOSCommandInjection_2026-04-06 or 9.X.X_FixOSCommandInjection_2026-04-06 and execute on TSSC/IMC system.

Please see instructions below.

For information on how to download the patch please refer to the following page: Available Updates https://www.ibm.com/docs/en/tssc

References

https://www.ibm.com/support/pages/node/7270127

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE