PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-3633 IBM CVE debrief

IBM Cognos Analytics and IBM Cognos Transformer contain a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting versions 11.2.0, 11.2.4, 12.0, and 12.1.0 (Analytics) and 11.2.4, 12.0, and 12.1.0 (Transformer). The vulnerability allows a remote attacker with low privileges to inject arbitrary JavaScript into the web UI, potentially altering functionality and disclosing credentials within a trusted session. CVSS 3.1 score: 5.4 (Medium). Published 2026-05-27. No known exploitation in the wild or ransomware campaign use. IBM has released security updates.

Vendor
IBM
Product
Cognos Analytics
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running IBM Cognos Analytics 11.2.0/11.2.4/12.0/12.1.0 or IBM Cognos Transformer 11.2.4/12.0/12.1.0 for business intelligence and analytics workloads. Security teams responsible for web application security and data protection in enterprise BI environments.

Technical summary

A stored XSS vulnerability in IBM Cognos Analytics and Transformer allows authenticated remote attackers to inject malicious JavaScript into the web UI. The vulnerability requires low privileges and user interaction, with scope change indicating impact beyond the vulnerable component. Successful exploitation could lead to session hijacking and credential theft within trusted sessions.

Defensive priority

medium

Recommended defensive actions

  • Apply IBM security updates per IBM security bulletin for affected Cognos Analytics and Transformer versions
  • Review and restrict user input handling in Cognos web interfaces
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact
  • Monitor for anomalous JavaScript execution in Cognos user sessions
  • Validate that session cookies use HttpOnly and Secure flags

Evidence notes

Vulnerability confirmed by IBM PSIRT and catalogued in NVD with CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause.

Official resources

IBM disclosed this vulnerability via their Product Security Incident Response Team (PSIRT) and published a security bulletin with remediation guidance.