CVE-2016-5880 IBM CVE debrief

Who should care

IBM iNotes and IBM Domino administrators, especially teams supporting webmail/web UI access, should treat this as relevant because the attack path depends on a user interacting with crafted content inside a trusted session.

Technical summary

The NVD record describes an XSS issue in IBM iNotes. The CVSS 3.0 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable attack that requires low privileges and user interaction, with limited confidentiality and integrity impact but changed scope. NVD lists affected IBM Domino and IBM iNotes versions across the 8.5.1 through 9.0.1.6 lines.

Defensive priority

Medium priority. The vulnerability is not availability-focused, but it can expose credentials or enable action spoofing in a trusted web session, so patching and validation should be scheduled promptly for any exposed IBM iNotes deployment.

Recommended defensive actions

• Apply the IBM fix or guidance referenced in the vendor advisory linked from NVD.
• Verify which IBM iNotes and IBM Domino versions in your environment match the affected CPE ranges listed by NVD.
• Review web UI input handling and output encoding controls for user-supplied content.
• Reassess session protections for iNotes users, especially where trusted browser sessions are used.
• Track any residual exposure by limiting access to patched systems until remediation is confirmed.

Evidence notes

All substantive claims are supported by the NVD record and its cited IBM advisory. The official record was published on 2017-02-01 and later modified on 2026-05-13; that modified date reflects database maintenance, not the original vulnerability date.

Official resources