CVE-2016-5882 IBM CVE debrief

Who should care

IBM iNotes and Domino administrators, security teams managing webmail or browser-based collaboration access, and organizations that expose the affected Web UI to end users.

Technical summary

The NVD record describes a reflected or stored XSS-class weakness in IBM iNotes. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and user interaction required. The NVD weakness mapping is CWE-79. The affected CPE list includes IBM Domino and IBM iNotes releases from 8.5.1.0 through 9.0.1.6.

Defensive priority

Medium. The issue requires user interaction, but successful exploitation can affect trusted sessions and expose sensitive data in the browser context.

Recommended defensive actions

• Review IBM’s vendor advisory and apply the referenced patch or remediation guidance for affected iNotes/Domino releases.
• Inventory all IBM Domino and iNotes deployments and compare them against the affected CPE versions listed by NVD.
• Treat any browser-based session that can render untrusted content as high risk and verify that input handling and output encoding are correct in the Web UI.
• Limit exposure of the affected Web UI where possible and monitor for unexpected script execution or anomalous session behavior.
• After remediation, test representative workflows to confirm the advisory fix is applied without breaking mail or collaboration features.

Evidence notes

The NVD record for CVE-2016-5882 identifies CWE-79 and lists vulnerable IBM Domino and IBM iNotes CPEs spanning 8.5.1.0 through 9.0.1.6. IBM PSIRT references a vendor advisory/patched guidance at the linked IBM support document. The vulnerability was published on 2017-02-01 and later modified on 2026-05-13 in the supplied timeline data.

Official resources