JavaScript Injection Risk in IBM Security Verify Access and Identity Access Products
CVE-2026-4364

5.4MEDIUM

Key Information:

Vendor

IBM
Status
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
Security Verify Access
Vendor
CVE Published:
1 April 2026

What is CVE-2026-4364?

The IBM Verify Identity Access Container and IBM Security Verify Access Container have a vulnerability that allows the retrieval of certificate listings via a browser session, delivering a JSON payload with an incorrect Content-Type of text/html. This misconfiguration can lead browsers to interpret the JSON data as executable script, posing a risk of JavaScript injection and potentially enabling cross-site scripting attacks. Users of these IBM products should review the advisory for details on potential mitigations and required updates.

Affected Version(s)

Security Verify Access 10.0 <= 10.0.9.1

Security Verify Access Container 10.0 <= 10.0.9.1

Verify Identity Access 11.0 <= 11.0.2

References

https://www.ibm.com/support/pages/node/7268253
vendor-advisorypatch

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.