anonhaven
Ad

CVE-2026-4364

MEDIUM CVSS 3.1: 5.4 EPSS 0.02%
Updated Apr 07, 2026
IBM
Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions 10.0.0.0 — 11.0.2.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor IBM
Public PoC No

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows certificate listings retrieved via a browser session to return a JSON payload while incorrectly specifying the response Content-Type as text/html. Because the content is delivered with an HTML MIME type, browsers may interpret the JSON data as executable script under certain conditions. This creates an opportunity for JavaScript injection, potentially leading to cross-site scripting (XSS).

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 4

Configuration From (including) Up to (excluding)
Ibm Security_Verify_Access
cpe:2.3:a:ibm:security_verify_access:*:*:*:*:*:*:*:*
 10.0.0.0 <= 10.0.9.1
Ibm Security_Verify_Access_Container
cpe:2.3:a:ibm:security_verify_access_container:*:*:*:*:*:*:*:*
 10.0.0.0 <= 10.0.9.1
Ibm Verify_Identity_Access
cpe:2.3:a:ibm:verify_identity_access:*:*:*:*:*:*:*:*
 11.0.0.0 <= 11.0.2.0
Ibm Verify_Identity_Access_Container
cpe:2.3:a:ibm:verify_identity_access_container:*:*:*:*:*:*:*:*
 11.0.0.0 <= 11.0.2.0

References 1

https://www.ibm.com/support/pages/node/7268253
psirt@us.ibm.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2025-13044

IBM

6.2

CVE-2026-1243

Microsoft

5.4

CVE-2025-66487

IBM

6.5

CVE-2025-66486

IBM

6.1

CVE-2025-66485

IBM

5.4