CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)

IBM patched an improper-input-validation flaw in IBM HTTP Server / WebSphere Application Server that allows unauthenticated remote code execution and denial of service (CVSS 9.8, first covered 2026-05-29); NCSC.ch carried it as Security Hub post 12601. WebSphere fronts a large share of public-sector and financial back-office estates, where it is often internet-reachable through reverse proxies — the pre-auth, zero-interaction profile makes this a patch-now item for any CH/EU SOC with WebSphere in the asset inventory. Confirm fix-pack levels against IBM's bulletin and prioritise externally-reachable instances.