CVE-2026-9072 PUBLISHED

IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ]

Assigner: ibm
Reserved: 20.05.2026 Published: 22.06.2026 Updated: 22.06.2026

IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	IBM
Product	i
Versions	affected from 7.6.0 to 1.8.4 (incl.) Version 7.5.0 is affected Version 7.4.0 is affected Version 7.3.0 is affected

Solutions

IBM strongly recommends addressing the vulnerabilities now.

IBM i Release5770-SS1 Option 3 PTF Number(s)PTF Download Link(s)7.6SJ10122 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ10122 7.5SJ10121 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ10121 7.4SJ10120 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ10120 7.3SJ10119 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ10119

IBM recommends users running unsupported versions of affected products upgrade to a supported and fixed version of affected products.

References

https://www.ibm.com/support/pages/node/7277344

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE