CVE-2026-8855
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-05-26
CWE-94
IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| ibm | http_server | 8.5.0.0 - 8.5.5.30 |
| ibm | http_server | 9.0.0.0 - 9.0.5.29 |
References
- www.ibm.com (Vendor Advisory)