CVE-2016-6001 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM Forms Experience Builder deployments, especially environments that use the application design interface and allow the product to reach internal network resources.

Technical summary

NVD classifies the weakness as CWE-918 (SSRF) with CVSS v3.0 vector CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is exposed over the network, requires low privileges, and is described as allowing some information disclosure of internal resources rather than direct integrity or availability impact. The affected CPEs listed by NVD are IBM Forms Experience Builder 8.5, 8.5.1, and 8.6.0.

Defensive priority

Low

Recommended defensive actions

• Check whether IBM Forms Experience Builder 8.5, 8.5.1, or 8.6.0 is deployed in your environment.
• Review IBM’s advisory and apply the vendor-recommended patch or update referenced for this CVE.
• Restrict the application’s ability to reach internal or sensitive network destinations where practical.
• Monitor application and network logs for unusual outbound requests initiated through the design interface.
• Validate that any remediation prevents the application from being used as a path to internal resources.

Evidence notes

This debrief is based on the NVD CVE record, which lists IBM Forms Experience Builder as the affected product family and identifies CWE-918. The NVD record includes the vendor reference to IBM’s advisory (swg21991280) and a third-party advisory entry at SecurityFocus BID 95777. The CVE was published on 2017-02-01 and later modified on 2026-05-13; those dates are used here only as record timeline context.

Official resources