ctipilot.ch

IBM HTTP Server / WebSphere Application Server — pre-auth RCE via improper input validation in HTTP request parser (CVSS 9.8); NCSC.ch flagged 2026-05-28

cve · CVE-2026-9170

Coverage timeline
1
first 2026-05-29 → last 2026-05-29
Briefs
1
1 distinct
Sources cited
264
109 hosts
Sections touched
0
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-29CTI Daily Brief — 2026-05-29

Source distribution

  • attack.mitre.org37 (14%)
  • thehackernews.com17 (6%)
  • github.com16 (6%)
  • bleepingcomputer.com12 (5%)
  • security-hub.ncsc.admin.ch11 (4%)
  • nvd.nist.gov10 (4%)
  • helpnetsecurity.com9 (3%)
  • cert.ssi.gouv.fr6 (2%)
  • other146 (55%)

External references

NVD · cve.org · CISA KEV

All cited sources (264)

Items in briefs about IBM HTTP Server / WebSphere Application Server — pre-auth RCE via improper input validation in HTTP request parser (CVSS 9.8); NCSC.ch flagged 2026-05-28 (1)

CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

IBM disclosed nine vulnerabilities in IBM HTTP Server (IHS) and WebSphere Application Server on 2026-05-26; the most severe is CVE-2026-9170 — CWE-94 improper input validation in the HTTP request-parsing layer that lets a remote, unauthenticated attacker trigger arbitrary code execution by sending a crafted HTTP request to the default web listener. NCSC.ch flagged the advisory as Security Hub post 12601 on 2026-05-28. NVD entry CVE-2026-9170 carries the CVSS 9.8 base score. Affected: IBM HTTP Server 9.0 and 8.5 branches; WebSphere Application Server Traditional 9.0 and 8.5 before the listed fix packs. Other notable CVEs in the same batch: CVE-2026-8855 (CVSS 8.1, RCE in TLS mutual-auth configs); CVE-2026-8834 (CVSS 8.0, heap-based buffer overflow in the Administration Server); CVE-2026-8856 / CVE-2026-8850 / CVE-2026-8854 (DoS). IBM recommends applying interim fix APAR PH71265 or the corresponding fix pack and disabling unused optional modules (mod_ibm_upload, mod_mem_cache). No public exploitation observed.