Details of VAR-202601-3446

ID

VAR-202601-3446

CVE

CVE-2025-36396

TITLE

IBM of IBM Application Gateway Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002008

DESCRIPTION

IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Also, some of the information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability may affect other software

Trust: 1.62

sources: NVD: CVE-2025-36396 // JVNDB: JVNDB-2026-002008

AFFECTED PRODUCTS

vendor:	ibm	model:	application gateway	scope:	lte	version:	25.09	Trust: 1.0
vendor:	ibm	model:	application gateway	scope:	gte	version:	23.10	Trust: 1.0
vendor:	ibm	model:	application gateway	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	application gateway	scope:	eq	version:	23.10 to 25.09	Trust: 0.8
vendor:	ibm	model:	application gateway	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002008 // NVD: CVE-2025-36396

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@us.ibm.com:	CVE-2025-36396
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2026-002008
value:	MEDIUM
Trust: 0.8

psirt@us.ibm.com:	CVE-2025-36396
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-002008
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002008 // NVD: CVE-2025-36396

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002008 // NVD: CVE-2025-36396

PATCH

title:

Security Bulletin

url:

https://www.ibm.com/support/pages/node/7256857

Trust: 0.8

sources: JVNDB: JVNDB-2026-002008

EXTERNAL IDS

db:	NVD	id:	CVE-2025-36396	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-002008	Trust: 0.8

sources: JVNDB: JVNDB-2026-002008 // NVD: CVE-2025-36396

REFERENCES

url:	https://www.ibm.com/support/pages/node/7256857	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-36396	Trust: 0.8

sources: JVNDB: JVNDB-2026-002008 // NVD: CVE-2025-36396

SOURCES

db:	JVNDB	id:	JVNDB-2026-002008
db:	NVD	id:	CVE-2025-36396

LAST UPDATE DATE

2026-01-29T23:54:54.589000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002008	date:	2026-01-28T03:36:00
db:	NVD	id:	CVE-2025-36396	date:	2026-01-26T19:46:28.037

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002008	date:	2026-01-28T00:00:00
db:	NVD	id:	CVE-2025-36396	date:	2026-01-20T16:16:03.873