{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1243", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-01-20T18:45:11.903Z", "datePublished": "2026-04-02T00:14:31.101Z", "dateUpdated": "2026-04-02T13:49:12.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-02T00:14:31.101Z"}, "title": "IBM Content Navigator is affected by , a Cross-Site Scripting (XSS) vulnerability", "affected": [{"vendor": "IBM", "product": "Content Navigator", "versions": [{"status": "affected", "version": "3.0.15", "lessThanOrEqual": "1.11.0", "versionType": "semver"}, {"status": "affected", "version": "3.1.0"}, {"status": "affected", "version": "3.2.0"}], "cpes": ["cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268006", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Affected VersionsFixes3.0.15ICN 3.0.15 IF0093.1.0ICN 3.1.0 IF008 LA23.2.0ICN 3.2.0 IF004", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<table><tbody><tr><td>Affected Versions</td><td>Fixes</td></tr><tr><td>3.0.15</td><td>ICN 3.0.15 IF009</td></tr><tr><td>3.1.0</td><td>ICN 3.1.0 IF008 LA2</td></tr><tr><td>3.2.0</td><td>ICN 3.2.0 IF004</td></tr></tbody></table>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:49:08.537768Z", "id": "CVE-2026-1243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:49:12.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:49:08.537768Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:49:03.681Z"}}], "cna": {"title": "IBM Content Navigator is affected by , a Cross-Site Scripting (XSS) vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Content Navigator", "versions": [{"status": "affected", "version": "3.0.15", "versionType": "semver", "lessThanOrEqual": "1.11.0"}, {"status": "affected", "version": "3.1.0"}, {"status": "affected", "version": "3.2.0"}]}], "solutions": [{"lang": "en", "value": "Affected VersionsFixes3.0.15ICN 3.0.15 IF0093.1.0ICN 3.1.0 IF008 LA23.2.0ICN 3.2.0 IF004", "supportingMedia": [{"type": "text/html", "value": "<table><tbody><tr><td>Affected Versions</td><td>Fixes</td></tr><tr><td>3.0.15</td><td>ICN 3.0.15 IF009</td></tr><tr><td>3.1.0</td><td>ICN 3.1.0 IF008 LA2</td></tr><tr><td>3.2.0</td><td>ICN 3.2.0 IF004</td></tr></tbody></table>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268006", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>", "base64": false}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-02T00:14:31.101Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1243", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:49:12.514Z", "dateReserved": "2026-01-20T18:45:11.903Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-04-02T00:14:31.101Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:content_navigator:3.0.15:-:*:*:*:*:*:*", "matchCriteriaId": "970464FB-088C-4325-8172-39DEC02B9AF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:content_navigator:3.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "AF91A6FA-A5E4-4C15-AA11-A4D1CFBAF440", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:content_navigator:3.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EF33918-7F0E-4034-91F4-950D5D030FD3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "id": "CVE-2026-1243", "lastModified": "2026-04-07T16:20:48.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2026-04-02T01:16:01.317", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7268006"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.15,1.11.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.2.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "content_navigator", "vendor": "ibm"}], "analysis": {"en": {"generated_at": "2026-04-08T21:29:35.343324+00:00", "value": {"mitigation_remediation": ["Apply the IBM security fixes for each affected version \u2013 update IBM Content Navigator to the latest 3.0.15, 3.1.0, or 3.2.0 release, using the patch identifiers IF0093.1.0, IF008, and IF004 respectively.", "Ensure that the updated version is in use across all instances of the application.", "Verify that the applied update has disabled the vulnerable functionality by testing the web UI for correct rendering after the patch."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting that may expose credentials within a trusted session"}, "threat_synthesis": {"affected_systems": "The affected product is IBM Content Navigator. Vulnerable releases are 3.0.15, 3.1.0, and 3.2.0. No other version information is listed.", "description_and_impact": "IBM Content Navigator versions 3.0.15, 3.1.0, and 3.2.0 contain a cross\u2011site scripting flaw that lets an authenticated user embed arbitrary JavaScript into the web interface. This can alter the intended functionality and, because the code executes with the privileges of the logged\u2011in user, may lead to disclosure of credentials or other sensitive information. The flaw is catalogued as CWE\u201179.", "risk_and_exploitability": "The CVSS score is 5.4, indicative of moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user with access to the application; the attack vector therefore is limited to authenticated session abuse and not to unauthenticated remote exploitation."}}}}, "created": "2026-04-02T07:46:51.389565+00:00", "updated": "2026-04-09T08:29:23.805340+00:00", "vendors": ["ibm", "ibm$PRODUCT$content_navigator"]}