Volerion logoVolerion
Volerion logoVolerion

IBM WebSphere Application Server Remote Code Execution Vulnerability via Deserialization in JAX-WS Endpoints

Vulnerability

A remote code execution vulnerability exists in IBM WebSphere Application Server versions 9.0 and 8.5. This issue arises from the deserialization of untrusted data in JAX-WS endpoints that use WS-Security, potentially allowing an attacker to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the affected server.

Remediation

Users are advised to upgrade to IBM WebSphere Application Server Fix Pack 9.0.5.29 or 8.5.5.30, depending on their current version. Alternatively, an interim fix addressing this vulnerability is available for both WebSphere Application Server traditional versions 9.0.0.0 through 9.0.5.28 and versions 8.5.0.0 through 8.5.5.29. Instructions for applying this interim fix can be found on the IBM Support page.

Added: Jun 1, 2026, 7:52 PM
Updated: Jun 1, 2026, 7:52 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
7.5
exploitability
6.6
remediation
7.7
relevance
9.7
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.