COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-13772

CVE-2026-13772

Severity
high
Source
NVD · cve
Published
2026-06-30
CVSS
7.5
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-13772
⚡ RCE shame 40/100 rce

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators);

Players implicated

IBM · vendorwebsphere extreme scale · product

Description

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

Affected FedRAMP products 5 in the catalog

ProductProviderStatusMatch
IBM Cloud for Government IBM Authorized vendor-exact · 0.90
IBM Federal HR Cloud IBM Authorized vendor-exact · 0.90
IBM Maximo and TRIRIGA on Cloud for U.S. Federal IBM Authorized vendor-exact · 0.90
MaaS360 Enterprise Mobility Management IBM Authorized vendor-exact · 0.90
SmartCloud for Government IBM Authorized vendor-exact · 0.90