ctipilot.ch

IBM HTTP Server / WebSphere Application Server — pre-auth RCE via improper input validation in HTTP request parser (CVSS 9.8); NCSC.ch flagged 2026-05-28

cve · CVE-2026-9170

Coverage timeline
2
first 2026-05-25 → last 2026-05-31
Peak priority
high
1 high · 1 notable
Sources cited
3
3 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-05-29CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)
    trending-vulnerabilities
  2. 2026-05-25CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)
    weekly-vuln-rollup

Where this entity is cited

  • weekly-vuln-rollup1
  • trending-vulnerabilities1

Source distribution

  • ibm.com1 (33%)
  • nvd.nist.gov1 (33%)
  • security-hub.ncsc.admin.ch1 (33%)

explore in graph

Entries about IBM HTTP Server / WebSphere Application Server — pre-auth RCE via improper input validation in HTTP request parser (CVSS 9.8); NCSC.ch flagged 2026-05-28 (2)

2026-05-29 · view entry permalink →

CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)

IBM disclosed nine vulnerabilities in IBM HTTP Server (IHS) and WebSphere Application Server on 2026-05-26; the most severe is CVE-2026-9170 — CWE-94 improper input validation in the HTTP request-parsing layer that lets a remote, unauthenticated attacker trigger arbitrary code execution by sending a crafted HTTP request to the default web listener. NCSC.ch flagged the advisory as Security Hub post 12601 on 2026-05-28. NVD entry CVE-2026-9170 carries the CVSS 9.8 base score. Affected: IBM HTTP Server 9.0 and 8.5 branches; WebSphere Application Server Traditional 9.0 and 8.5 before the listed fix packs. Other notable CVEs in the same batch: CVE-2026-8855 (CVSS 8.1, RCE in TLS mutual-auth configs); CVE-2026-8834 (CVSS 8.0, heap-based buffer overflow in the Administration Server); CVE-2026-8856 / CVE-2026-8850 / CVE-2026-8854 (DoS). IBM recommends applying interim fix APAR PH71265 or the corresponding fix pack and disabling unused optional modules (mod_ibm_upload, mod_mem_cache). No public exploitation observed.

CVE-2026-9170 CVSS3.1: 9.8 (CRITICAL) - Improper input validation leading to RCE and DoS

NCSC.ch Security Hub post 12601

IBM HTTP Server and WebSphere Application Server are vulnerable to remote code execution due to improper input validation

IBM Security Bulletin
vulnerability29 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)

IBM patched an improper-input-validation flaw in IBM HTTP Server / WebSphere Application Server that allows unauthenticated remote code execution and denial of service (CVSS 9.8, first covered 2026-05-29); NCSC.ch carried it as Security Hub post 12601. WebSphere fronts a large share of public-sector and financial back-office estates, where it is often internet-reachable through reverse proxies — the pre-auth, zero-interaction profile makes this a patch-now item for any CH/EU SOC with WebSphere in the asset inventory. Confirm fix-pack levels against IBM's bulletin and prioritise externally-reachable instances.

vulnerability25 May 05:00Zmulti-sourceOpen finding ↗