{"api_version":"1","generated_at":"2026-06-22T19:30:00+00:00","cve":"CVE-2026-11372","urls":{"html":"https://cve.report/CVE-2026-11372","api":"https://cve.report/api/cve/CVE-2026-11372.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-11372","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-11372"},"summary":{"title":"IBM TRIRIGA Cross-Site Scripting Vulnerability","description":"IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","state":"PUBLISHED","assigner":"ibm","published_at":"2026-06-22 16:16:32","updated_at":"2026-06-22 18:16:30"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"psirt@us.ibm.com","type":"Secondary","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://www.ibm.com/support/pages/node/7276076","name":"https://www.ibm.com/support/pages/node/7276076","refsource":"psirt@us.ibm.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-11372","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11372","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"IBM","product":"TRIRIGA Application Platform","version":"affected 5.0.2 5.0.3 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"An holistic approach has been implemented to address XSS vulnerabilities across the application as part of IBM TRIRIGA Application Platform 5.0.4 GA. This vulnerability is also part of it.\n\n\n\nCustomers using affected versions of IBM TRIRIGA should upgrade to IBM TRIRIGA Application Platform 5.0.4 GA or a later supported release containing the fix. IBM recommends applying the latest available maintenance to ensure protection against this vulnerability.\n\n\n\n\n\n\n\nReference :  https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product[…]GA+Application+Platform&release=5.0.4&platform=All&function=all https://www.ibm.com/support/fixcentral/swg/selectFixes","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-11372","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-22T15:57:33.585843Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-22T15:57:43.139Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:tririga_application_platform:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:ibm:tririga_application_platform:5.0.3:*:*:*:*:*:*:*"],"product":"TRIRIGA Application Platform","vendor":"IBM","versions":[{"lessThanOrEqual":"5.0.3","status":"affected","version":"5.0.2","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"}],"value":"IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-22T14:09:34.887Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7276076"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>An holistic approach has been implemented to address XSS vulnerabilities across the application as part of IBM TRIRIGA Application Platform 5.0.4 GA. This vulnerability is also part of it.</p><p>Customers using affected versions of IBM TRIRIGA should upgrade to IBM TRIRIGA Application Platform 5.0.4 GA or a later supported release containing the fix. IBM recommends applying the latest available maintenance to ensure protection against this vulnerability.</p><p></p><p>Reference : <a href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&amp;product=ibm/Tivoli/IBM+TRIRIGA+Application+Platform&amp;release=5.0.4&amp;platform=All&amp;function=all\" rel=\"noopener noreferrer nofollow\">https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&amp;product[…]GA+Application+Platform&amp;release=5.0.4&amp;platform=All&amp;function=all</a></p>"}],"value":"An holistic approach has been implemented to address XSS vulnerabilities across the application as part of IBM TRIRIGA Application Platform 5.0.4 GA. This vulnerability is also part of it.\n\n\n\nCustomers using affected versions of IBM TRIRIGA should upgrade to IBM TRIRIGA Application Platform 5.0.4 GA or a later supported release containing the fix. IBM recommends applying the latest available maintenance to ensure protection against this vulnerability.\n\n\n\n\n\n\n\nReference :  https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product[…]GA+Application+Platform&release=5.0.4&platform=All&function=all https://www.ibm.com/support/fixcentral/swg/selectFixes"}],"title":"IBM TRIRIGA Cross-Site Scripting Vulnerability","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2026-11372","datePublished":"2026-06-22T14:09:34.887Z","dateReserved":"2026-06-05T12:09:50.632Z","dateUpdated":"2026-06-22T15:57:43.139Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-22 16:16:32","lastModifiedDate":"2026-06-22 18:16:30","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-22T15:57:33.585843Z","id":"CVE-2026-11372","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"11372","Ordinal":"1","Title":"IBM TRIRIGA Cross-Site Scripting Vulnerability","CVE":"CVE-2026-11372","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"11372","Ordinal":"1","NoteData":"IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","Type":"Description","Title":"IBM TRIRIGA Cross-Site Scripting Vulnerability"}]}}}