CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)

IBM disclosed nine vulnerabilities in IBM HTTP Server (IHS) and WebSphere Application Server on 2026-05-26; the most severe is CVE-2026-9170 — CWE-94 improper input validation in the HTTP request-parsing layer that lets a remote, unauthenticated attacker trigger arbitrary code execution by sending a crafted HTTP request to the default web listener. NCSC.ch flagged the advisory as Security Hub post 12601 on 2026-05-28. NVD entry CVE-2026-9170 carries the CVSS 9.8 base score. Affected: IBM HTTP Server 9.0 and 8.5 branches; WebSphere Application Server Traditional 9.0 and 8.5 before the listed fix packs. Other notable CVEs in the same batch: CVE-2026-8855 (CVSS 8.1, RCE in TLS mutual-auth configs); CVE-2026-8834 (CVSS 8.0, heap-based buffer overflow in the Administration Server); CVE-2026-8856 / CVE-2026-8850 / CVE-2026-8854 (DoS). IBM recommends applying interim fix APAR PH71265 or the corresponding fix pack and disabling unused optional modules (mod_ibm_upload, mod_mem_cache). No public exploitation observed.