CVE-2025-3633

MEDIUM

IBM Cognos Analytics is affected by multiple security vulnerabilities

Title source: cna

Description

IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://www.ibm.com/support/pages/node/7272628

Scores

CVSS v3 5.4

EPSS 0.0031

EPSS Percentile 22.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (12)

IBM/Cognos Analytics 11.2.0

IBM/Cognos Analytics 12.0

IBM/Cognos Analytics 12.1.0

IBM/Cognos Transformer 11.2.4

IBM/Cognos Transformer 12.0

IBM/Cognos Transformer 12.1.0

ibm/cognos_analytics 11.2.4 (12 CPE variants)

ibm/cognos_analytics 12.0.4 interim_fix_1 (3 CPE variants)

ibm/cognos_analytics 11.2.0 - 11.2.4

ibm/cognos_transformer 11.2.4

... and 2 more

Published May 27, 2026

Tracked Since May 27, 2026