Search
Find a vulnerability
Search criteria
4 vulnerabilities found for cognos_transformer by ibm
CVE-2025-3633 (GCVE-0-2025-3633)
Vulnerability from nvd – Published: 2026-05-27 12:17 – Updated: 2026-05-27 14:31
VLAI
Title
IBM Cognos Analytics is affected by multiple security vulnerabilities
Summary
IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7272628 | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Analytics |
Affected:
11.2.0
Affected: 12.0 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:* |
|
| IBM | Cognos Transformer |
Affected:
12.0
Affected: 11.2.4 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:27:31.520327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:31:40.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Analytics",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.2.0"
},
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "12.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Transformer",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "11.2.4"
},
{
"status": "affected",
"version": "12.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:17:11.519Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7272628"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to latest versions\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s) number and/or range\u00a0\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e11.2.0 - 11.2.4 FP6\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7270262\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 11.2.4 Fix Pack 7\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.0.0 - 12.0.4 FP1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7269268\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.0.4 Fix Pack 2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.1.0 - 12.1.1 IF1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7258071\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.1.2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to latest versionsProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Cognos Analytics11.2.0 - 11.2.4 FP6IBM Cognos Analytics 11.2.4 Fix Pack 7IBM Cognos Analytics12.0.0 - 12.0.4 FP1IBM Cognos Analytics 12.0.4 Fix Pack 2IBM Cognos Analytics12.1.0 - 12.1.1 IF1IBM Cognos Analytics 12.1.2"
}
],
"title": "IBM Cognos Analytics is affected by multiple security vulnerabilities",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-3633",
"datePublished": "2026-05-27T12:17:11.519Z",
"dateReserved": "2025-04-15T09:48:14.783Z",
"dateUpdated": "2026-05-27T14:31:40.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36126 (GCVE-0-2025-36126)
Vulnerability from nvd – Published: 2026-05-26 15:52 – Updated: 2026-05-27 17:20
VLAI
Title
IBM Cognos Analytics is affected by Cross-site scripting.
Summary
IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7272628 | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Analytics |
Affected:
11.2.0
Affected: 12.0 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:* |
|
| IBM | Cognos Transformer |
Affected:
12.0
Affected: 11.2.4 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T17:20:04.656302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:20:14.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Analytics",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.2.0"
},
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "12.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Transformer",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "11.2.4"
},
{
"status": "affected",
"version": "12.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:05:00.708Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7272628"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to latest versions\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s) number and/or range\u00a0\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e11.2.0 - 11.2.4 FP6\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7270262\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 11.2.4 Fix Pack 7\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.0.0 - 12.0.4 FP1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7269268\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.0.4 Fix Pack 2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.1.0 - 12.1.1 IF1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7258071\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.1.2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to latest versions\n\nProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Cognos Analytics11.2.0 - 11.2.4 FP6 IBM Cognos Analytics 11.2.4 Fix Pack 7 https://www.ibm.com/support/pages/node/7270262 IBM Cognos Analytics12.0.0 - 12.0.4 FP1 IBM Cognos Analytics 12.0.4 Fix Pack 2 https://www.ibm.com/support/pages/node/7269268 IBM Cognos Analytics12.1.0 - 12.1.1 IF1 IBM Cognos Analytics 12.1.2 https://www.ibm.com/support/pages/node/7258071"
}
],
"title": "IBM Cognos Analytics is affected by Cross-site scripting.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36126",
"datePublished": "2026-05-26T15:52:49.002Z",
"dateReserved": "2025-04-15T21:16:18.171Z",
"dateUpdated": "2026-05-27T17:20:14.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3633 (GCVE-0-2025-3633)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 14:31
VLAI
Title
IBM Cognos Analytics is affected by multiple security vulnerabilities
Summary
IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7272628 | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Analytics |
Affected:
11.2.0
Affected: 12.0 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:* |
|
| IBM | Cognos Transformer |
Affected:
12.0
Affected: 11.2.4 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:27:31.520327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:31:40.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Analytics",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.2.0"
},
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "12.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Transformer",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "11.2.4"
},
{
"status": "affected",
"version": "12.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:17:11.519Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7272628"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to latest versions\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s) number and/or range\u00a0\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e11.2.0 - 11.2.4 FP6\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7270262\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 11.2.4 Fix Pack 7\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.0.0 - 12.0.4 FP1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7269268\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.0.4 Fix Pack 2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.1.0 - 12.1.1 IF1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7258071\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.1.2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to latest versionsProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Cognos Analytics11.2.0 - 11.2.4 FP6IBM Cognos Analytics 11.2.4 Fix Pack 7IBM Cognos Analytics12.0.0 - 12.0.4 FP1IBM Cognos Analytics 12.0.4 Fix Pack 2IBM Cognos Analytics12.1.0 - 12.1.1 IF1IBM Cognos Analytics 12.1.2"
}
],
"title": "IBM Cognos Analytics is affected by multiple security vulnerabilities",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-3633",
"datePublished": "2026-05-27T12:17:11.519Z",
"dateReserved": "2025-04-15T09:48:14.783Z",
"dateUpdated": "2026-05-27T14:31:40.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36126 (GCVE-0-2025-36126)
Vulnerability from cvelistv5 – Published: 2026-05-26 15:52 – Updated: 2026-05-27 17:20
VLAI
Title
IBM Cognos Analytics is affected by Cross-site scripting.
Summary
IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7272628 | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Analytics |
Affected:
11.2.0
Affected: 12.0 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:* |
|
| IBM | Cognos Transformer |
Affected:
12.0
Affected: 11.2.4 Affected: 12.1.0 cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T17:20:04.656302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:20:14.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Analytics",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.2.0"
},
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "12.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:*"
],
"product": "Cognos Transformer",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "12.0"
},
{
"status": "affected",
"version": "11.2.4"
},
{
"status": "affected",
"version": "12.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\u003c/p\u003e"
}
],
"value": "IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:05:00.708Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7272628"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to latest versions\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s) number and/or range\u00a0\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e11.2.0 - 11.2.4 FP6\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7270262\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 11.2.4 Fix Pack 7\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.0.0 - 12.0.4 FP1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7269268\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.0.4 Fix Pack 2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cognos Analytics\u003c/td\u003e\u003ctd\u003e12.1.0 - 12.1.1 IF1\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7258071\" rel=\"noopener noreferrer nofollow\"\u003eIBM Cognos Analytics 12.1.2\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to latest versions\n\nProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Cognos Analytics11.2.0 - 11.2.4 FP6 IBM Cognos Analytics 11.2.4 Fix Pack 7 https://www.ibm.com/support/pages/node/7270262 IBM Cognos Analytics12.0.0 - 12.0.4 FP1 IBM Cognos Analytics 12.0.4 Fix Pack 2 https://www.ibm.com/support/pages/node/7269268 IBM Cognos Analytics12.1.0 - 12.1.1 IF1 IBM Cognos Analytics 12.1.2 https://www.ibm.com/support/pages/node/7258071"
}
],
"title": "IBM Cognos Analytics is affected by Cross-site scripting.",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36126",
"datePublished": "2026-05-26T15:52:49.002Z",
"dateReserved": "2025-04-15T21:16:18.171Z",
"dateUpdated": "2026-05-27T17:20:14.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}