Cross-Site Scripting Vulnerability in IBM Application Gateway
CVE-2025-36396

5.4MEDIUM

Key Information:

Vendor: IBM
Status: Application Gateway
Vendor: CVE Published:; 20 January 2026

What is CVE-2025-36396?

IBM Application Gateway versions 23.10 through 25.09 are affected by a cross-site scripting vulnerability. An authenticated user can exploit this flaw to inject arbitrary JavaScript into the web interface, potentially compromising the security of a trusted session and leading to unauthorized credential disclosure.

Affected Version(s)

Application Gateway 23.10 <= 25.09

References

https://www.ibm.com/support/pages/node/7256857

vendor-advisorypatch

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Apr 15, 2025

JSON