Details of VAR-202601-2641

ID

VAR-202601-2641

CVE

CVE-2025-36397

TITLE

IBM of IBM Application Gateway Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002007

DESCRIPTION

IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. Web It may be executed in the browser.Some of the information handled by the software may be leaked to the outside. Also, some of the information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability may affect other software

Trust: 1.62

sources: NVD: CVE-2025-36397 // JVNDB: JVNDB-2026-002007

AFFECTED PRODUCTS

vendor:	ibm	model:	application gateway	scope:	lte	version:	25.09	Trust: 1.0
vendor:	ibm	model:	application gateway	scope:	gte	version:	23.10	Trust: 1.0
vendor:	ibm	model:	application gateway	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	application gateway	scope:	eq	version:	23.10 to 25.09	Trust: 0.8
vendor:	ibm	model:	application gateway	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002007 // NVD: CVE-2025-36397

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@us.ibm.com:	CVE-2025-36397
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2026-002007
value:	MEDIUM
Trust: 0.8

psirt@us.ibm.com:	CVE-2025-36397
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-002007
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002007 // NVD: CVE-2025-36397

PROBLEMTYPE DATA

problemtype:	CWE-80	Trust: 1.0
problemtype:	Cross-site scripting (Basic XSS)(CWE-80) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002007 // NVD: CVE-2025-36397

PATCH

title:

Security Bulletin

url:

https://www.ibm.com/support/pages/node/7256857

Trust: 0.8

sources: JVNDB: JVNDB-2026-002007

EXTERNAL IDS

db:	NVD	id:	CVE-2025-36397	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-002007	Trust: 0.8

sources: JVNDB: JVNDB-2026-002007 // NVD: CVE-2025-36397

REFERENCES

url:	https://www.ibm.com/support/pages/node/7256857	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-36397	Trust: 0.8

sources: JVNDB: JVNDB-2026-002007 // NVD: CVE-2025-36397

SOURCES

db:	JVNDB	id:	JVNDB-2026-002007
db:	NVD	id:	CVE-2025-36397

LAST UPDATE DATE

2026-01-29T23:47:07.866000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002007	date:	2026-01-28T03:36:00
db:	NVD	id:	CVE-2025-36397	date:	2026-01-26T19:47:11.003

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002007	date:	2026-01-28T00:00:00
db:	NVD	id:	CVE-2025-36397	date:	2026-01-20T16:16:04.030