CVE-2025-36126
EUVD-2025-20993026.05.2026, 17:16
IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| ibm | cognos_analytics | 12.1.0 ≤ 𝑥 < 12.1.2 |
| ibm | cognos_analytics | 11.2 |
| ibm | cognos_analytics | 11.2.0 |
| ibm | cognos_analytics | 11.2.1 |
| ibm | cognos_analytics | 11.2.2 |
| ibm | cognos_analytics | 11.2.3 |
| ibm | cognos_analytics | 11.2.4 |
| ibm | cognos_analytics | 11.2.4:fixpack1 |
| ibm | cognos_analytics | 11.2.4:fixpack2 |
| ibm | cognos_analytics | 11.2.4:fixpack3 |
| ibm | cognos_analytics | 11.2.4:fixpack4 |
| ibm | cognos_analytics | 11.2.4:fixpack5 |
| ibm | cognos_analytics | 11.2.4:fixpack6 |
| ibm | cognos_analytics | 11.2.4:interim_fix_1 |
| ibm | cognos_analytics | 11.2.4:interim_fix_2 |
| ibm | cognos_analytics | 11.2.4:interim_fix_3 |
| ibm | cognos_analytics | 11.2.4:interim_fix_4 |
| ibm | cognos_analytics | 11.2.4:interim_fix_5 |
| ibm | cognos_analytics | 12.0.0 |
| ibm | cognos_analytics | 12.0.1 |
| ibm | cognos_analytics | 12.0.2 |
| ibm | cognos_analytics | 12.0.3 |
| ibm | cognos_analytics | 12.0.3:interim_fix_1 |
| ibm | cognos_analytics | 12.0.3:interim_fix_2 |
| ibm | cognos_analytics | 12.0.4 |
| ibm | cognos_analytics | 12.0.4:fixpack1 |
| ibm | cognos_analytics | 12.0.4:interim_fix_1 |
| ibm | cognos_analytics | 12.0.4:interim_fix_2 |
| ibm | cognos_analytics | 12.0.4:interim_fix_3 |
| ibm | cognos_transformer | 11.2.4 |
| ibm | cognos_transformer | 12.0 |
| ibm | cognos_transformer | 12.1.0 |
𝑥
= Vulnerable software versions