CVE-2026-13772 – IBM WebSphere eXtreme Scale’s OQL is affected by remote code execution

CVE ID :CVE-2026-13772

Published : June 30, 2026, 7:21 p.m. | 24 minutes ago

Description :IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ‘s Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

آسیب‌پذیری‌های جدید و وصله‌های امنیتی به‌صورت مداوم منتشر می‌شوند و عدم بروزرسانی به‌موقع می‌تواند امنیت سرویس‌های حیاتی را به خطر بیندازد. خدمات مدیریت و پشتیبانی سرور آفاق هاستینگ شامل پایش امنیتی، بروزرسانی نرم‌افزارها، نصب Patchهای امنیتی و سخت‌سازی سرورها است.

خدمات مدیریت و امنیت سرور

نوشته های مشابه

CVE-2026-13759 – IBM WebSphere eXtreme Scale is affected by Insecure Deserilization

CVE-2026-13773 – IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol

CVE-2026-3602 – IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection

CVE-2026-7663 – Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass