Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-36126— IBM Cognos Analytics is affected by Cross-site scripting.

CVSS 6.4 · Medium EPSS 0.03% · P8

Affected Version Matrix 6

VendorProductVersion RangeStatus
IBMCognos Analytics11.2.0affected
12.0affected
12.1.0affected
IBMCognos Transformer12.0affected
11.2.4affected
12.1.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-36126

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
IBM Cognos Analytics is affected by Cross-site scripting.
Source: NVD (National Vulnerability Database)
Vulnerability Description
IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
IBM Cognos Analytics和IBM Cognos Transformer 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
IBM Cognos Analytics和IBM Cognos Transformer都是美国国际商业机器(IBM)公司的产品。IBM Cognos Analytics是一套商业智能软件。该软件包括报表、仪表板和记分卡等,并可通过分析关键因素与关键人等内容,协助企业调整决策。IBM Cognos Transformer是一款商业智能建模工具。 IBM Cognos Analytics 11.2.0版本、12.0版本、12.1.0版本和IBM Cognos Transformer 12.0版本、11.2.4
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
IBMCognos Analytics 11.2.0 cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
IBMCognos Transformer 12.0 cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*

II. Public POCs for CVE-2025-36126

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-36126

登录查看更多情报信息。

Vendor Advisories for CVE-2025-36126 (1)

Same Patch Batch · IBM · 2026-05-26 · 20 CVEs total

CVE-2026-36609.8 CRITICALIBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Byp
CVE-2026-86339.8 CRITICALIBM WebSphere Application Server and WebSphere Application Server Liberty are affected by
CVE-2026-88558.1 HIGHIBM HTTP Server is affected by multiple vulnerabilities
CVE-2026-88348.0 HIGHIBM HTTP Server is affected by multiple vulnerabilities
CVE-2026-88567.7 HIGHIBM HTTP Server is affected by multiple vulnerabilities
CVE-2026-88507.5 HIGHIBM HTTP Server is affected by multiple vulnerabilities
CVE-2026-86207.5 HIGHIBM WebSphere Application Server and WebSphere Application Server Liberty are affected by
CVE-2026-88547.5 HIGHIBM HTTP Server is affected by multiple vulnerabilities
CVE-2026-88357.3 HIGHIBM HTTP Server is affected by multiple vulnerabilities
CVE-2026-40517.2 HIGHIBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth R
CVE-2026-36037.1 HIGHIBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external entit
CVE-2026-88526.2 MEDIUMIBM HTTP Server is affected by multiple vulnerabilities
CVE-2025-137555.5 MEDIUMIBM® Db2® is vulnerable to credential exposure in db2diag when executing specific testcase
CVE-2025-361485.4 MEDIUMIBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to c
CVE-2025-361455.4 MEDIUMMultiple Vulnerabilities in watsonx.data
CVE-2025-142905.4 MEDIUMIBM webMethods Integration Sever is vulnerable to server-side request forgery
CVE-2025-362215.3 MEDIUMVulnerabilities exists in IBM Cloud Pak for Data System (CPDS 1.0) - Cyclops.
CVE-2025-362204.3 MEDIUMVulnerabilities exists in IBM Cloud Pak for Data System (CPDS 1.0) - Cyclops.
CVE-2026-9170IBM HTTP Server is affected by multiple vulnerabilities

IV. Related Vulnerabilities

Same product: Cognos Analytics
Same vendor: IBM
Same weakness: CWE-79

V. Comments for CVE-2025-36126

No comments yet

Leave a comment