CVE-2026-13773
IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6EPSS 3.0%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
30 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Productos afectados
IBM · WebSphere Extreme Scale¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →