{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1243", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-01-20T18:45:11.903Z", "datePublished": "2026-04-02T00:14:31.101Z", "dateUpdated": "2026-04-02T13:49:12.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-02T00:14:31.101Z"}, "title": "IBM Content Navigator is affected by , a Cross-Site Scripting (XSS) vulnerability", "affected": [{"vendor": "IBM", "product": "Content Navigator", "versions": [{"status": "affected", "version": "3.0.15", "lessThanOrEqual": "1.11.0", "versionType": "semver"}, {"status": "affected", "version": "3.1.0"}, {"status": "affected", "version": "3.2.0"}], "cpes": ["cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268006", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Affected VersionsFixes3.0.15ICN 3.0.15 IF0093.1.0ICN 3.1.0 IF008 LA23.2.0ICN 3.2.0 IF004", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<table><tbody><tr><td>Affected Versions</td><td>Fixes</td></tr><tr><td>3.0.15</td><td>ICN 3.0.15 IF009</td></tr><tr><td>3.1.0</td><td>ICN 3.1.0 IF008 LA2</td></tr><tr><td>3.2.0</td><td>ICN 3.2.0 IF004</td></tr></tbody></table>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:49:08.537768Z", "id": "CVE-2026-1243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:49:12.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:49:08.537768Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:49:03.681Z"}}], "cna": {"title": "IBM Content Navigator is affected by , a Cross-Site Scripting (XSS) vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Content Navigator", "versions": [{"status": "affected", "version": "3.0.15", "versionType": "semver", "lessThanOrEqual": "1.11.0"}, {"status": "affected", "version": "3.1.0"}, {"status": "affected", "version": "3.2.0"}]}], "solutions": [{"lang": "en", "value": "Affected VersionsFixes3.0.15ICN 3.0.15 IF0093.1.0ICN 3.1.0 IF008 LA23.2.0ICN 3.2.0 IF004", "supportingMedia": [{"type": "text/html", "value": "<table><tbody><tr><td>Affected Versions</td><td>Fixes</td></tr><tr><td>3.0.15</td><td>ICN 3.0.15 IF009</td></tr><tr><td>3.1.0</td><td>ICN 3.1.0 IF008 LA2</td></tr><tr><td>3.2.0</td><td>ICN 3.2.0 IF004</td></tr></tbody></table>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268006", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>", "base64": false}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-02T00:14:31.101Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1243", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:49:12.514Z", "dateReserved": "2026-01-20T18:45:11.903Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-04-02T00:14:31.101Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "id": "CVE-2026-1243", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2026-04-02T01:16:01.317", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7268006"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.15,1.11.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.2.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "content_navigator", "vendor": "ibm"}], "analysis": {"en": {"generated_at": "2026-04-02T05:06:29.558550+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to IBM Content Navigator 3.0.15 IF0093.1.0, 3.1.0 IF008, or 3.2.0 IF004"], "summary": {"action": "Patch", "impact": "Credential disclosure via XSS"}, "threat_synthesis": {"affected_systems": "The affected product is IBM Content Navigator, specifically versions 3.0.15, 3.1.0, and 3.2.0, which are the releases mentioned by the CNA.", "description_and_impact": "IBM Content Navigator versions 3.0.15, 3.1.0, and 3.2.0 contain a cross\u2011site scripting flaw that allows an authenticated user to inject arbitrary JavaScript into the web interface. This injection can alter page functionality and, as noted in the description, may lead to the disclosure of credentials within a trusted session.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.4, indicating moderate severity. Exploitation requires valid credentials to the application and therefore is not publicly exploitable from the internet. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Nonetheless, an attacker with user access could potentially capture session credentials, underscoring the need for remediation."}}}}, "created": "2026-04-02T07:46:51.389565+00:00", "title": "Cross\u2011Site Scripting Vulnerability in IBM Content Navigator", "updated": "2026-04-02T20:15:50.165244+00:00", "vendors": ["ibm", "ibm$PRODUCT$content_navigator"], "weaknesses": ["CWE-79", "CWE-200"]}