IBM WebSphere Extreme Scale up to 8.6.1.6 Query Language Class.forName externally-controlled input to select classes or code
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.1 | $0-$5k | 0.65 |
Summary
A vulnerability, which was classified as problematic, was found in IBM WebSphere Extreme Scale up to 8.6.1.6. The affected element is the function Class.forName of the component Query Language Handler. Executing a manipulation can lead to use of externally-controlled input to select classes or code.
This vulnerability appears as CVE-2026-13772. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
Details
A vulnerability has been found in IBM WebSphere Extreme Scale up to 8.6.1.6 and classified as problematic. This vulnerability affects the function Class.forName of the component Query Language Handler. The manipulation with an unknown input leads to a use of externally-controlled input to select classes or code vulnerability. The CWE definition for the vulnerability is CWE-470. The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries
The advisory is shared for download at ibm.com. This vulnerability was named CVE-2026-13772 since 06/29/2026. The exploitation appears to be difficult. The attack can be initiated remotely. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 07/01/2026).
Upgrading eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.ibm.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.2VulDB Meta Temp Score: 6.1
VulDB Base Score: 5.0
VulDB Temp Score: 4.8
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 7.5
CNA Vector (ibm): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Use of externally-controlled input to select classes or codeCWE: CWE-470
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Timeline
06/29/2026 CVE reserved07/01/2026 Advisory disclosed
07/01/2026 VulDB entry created
07/01/2026 VulDB entry last update
Sources
Vendor: ibm.comAdvisory: ibm.com
Status: Confirmed
CVE: CVE-2026-13772 (🔒)
GCVE (CVE): GCVE-0-2026-13772
GCVE (VulDB): GCVE-100-374908
Entry
Created: 07/01/2026 05:59Changes: 07/01/2026 05:59 (64)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.