CVE Vulnerabilities

CVE-2026-13773

Server-Side Request Forgery (SSRF)

Published: Jun 30, 2026 | Modified: Jul 02, 2026
CVSS 3.x
10
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io logo minimus.io logo echo.ai logo

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scales ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORBs getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

NameVendorStart VersionEnd Version
Websphere_extreme_scaleIbm8.6.1.0 (including)8.6.1.6 (including)

References