PatchSiren cyber security CVE debrief

CVE-2025-36126 IBM CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in IBM Cognos Analytics and IBM Cognos Transformer, affecting versions 11.2.0, 12.0, and 12.1.0 of Cognos Analytics and versions 11.2.4, 12.0, and 12.1.0 of Cognos Transformer. The vulnerability resides in the Cognos Administration Web UI component. A privileged attacker can embed arbitrary JavaScript code that executes within the context of a trusted user session, potentially leading to credential disclosure. The attack requires low privileges and no user interaction, with network-based attack vector and changed scope (S:C) indicating impact beyond the vulnerable component. The CVSS 3.1 vector confirms medium severity with low confidentiality and integrity impact but no availability impact.

Vendor: IBM
Product: Cognos Analytics
CVSS: MEDIUM 6.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-26
Advisory published: 2026-05-26
Advisory updated: 2026-05-26

Who should care

Organizations running IBM Cognos Analytics 11.2.0, 12.0, or 12.1.0, or IBM Cognos Transformer 11.2.4, 12.0, or 12.1.0 with administrative access enabled. Security teams should prioritize patching and privilege review for environments where administrative users handle sensitive credentials.

Technical summary

The vulnerability is a stored XSS (CWE-79) in the Cognos Administration Web UI. Attackers with low privileges can persist malicious JavaScript that executes when trusted users access the administrative interface. The S:C scope metric indicates the vulnerable component impacts resources beyond its security scope. No availability impact is associated with this vulnerability.

Defensive priority

medium

Recommended defensive actions

Apply security patches from IBM when available per vendor advisory
Review and restrict administrative privileges in Cognos Administration to reduce attack surface
Implement Content Security Policy (CSP) headers to mitigate XSS impact
Enable input validation and output encoding for all user-supplied data in administrative interfaces
Monitor for suspicious administrative activity and unauthorized script injection attempts
Review session management configurations to limit exposure of credentials in trusted sessions

Evidence notes

Vulnerability confirmed via IBM PSIRT advisory and NVD entry. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause. CVSS 3.1 score 6.4 (MEDIUM) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. Affected products and versions explicitly listed in official sources.

Official resources

2026-05-26