[Verse 1] July seventh, twenty-twenty-six, patch your stacks today IBM WebSphere Liberty's got two wounds that won't go away CVE-2026-11546, score of seven point one Server-side request forgery when adminCenter's run A feature called adminCenter, version one point zero switched on And the server starts fetching whatever the attacker throws upon [Chorus] SSRF in Liberty, the server becomes a spy Forging outbound requests to destinations you didn't authorize WebSphere walking into traps laid by a crafty hand Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can [Verse 2] Same product, different feature, CVE-2026-11714 CVSS eight point five — that one stings a little more apiDiscovery enabled, version one point zero, and suddenly An attacker puppets your server, sends it wherever they please Liberty fetching internal targets, bouncing past your firewall gate The discovery feature turned a helpful tool into bait [Chorus] SSRF in Liberty, the server becomes a spy Forging outbound requests to destinations you didn't authorize WebSphere walking into traps laid by a crafty hand Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can [Bridge] Now IBM Business Automation Manager's got a different kind of sting CVE-2026-13449, XML external entity thing Score seven point six, versions nine-oh-oh through nine-four-two You feed it crafted XML and it reads files it never should construe Remote attackers whispering entity references in the data stream The parser follows every pointer like it's chasing someone else's dream [Verse 3] Last one on the list and it deserves a spotlight all its own CVE-2026-13772, WebSphere Extreme Scale alone Score seven point five, the Object Query Language takes the blame The engine calls Class dot forName on an attacker-supplied class name Constructs whatever object they demand with zero allow-list check Eight-six-one-oh through eight-six-one-six — your query engine is a wreck [Chorus] SSRF in Liberty, the server becomes a spy Forging outbound requests to destinations you didn't authorize WebSphere walking into traps laid by a crafty hand Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can [Verse 4] Think about the intern who enabled every feature flag Turned on adminCenter, apiDiscovery — let the server drag Across the internal network, touching endpoints never meant to share Metadata services, config stores, credentials hanging bare One crafted HTTP request is all the attacker needs to send Enable only what you use — that lesson never ends [Chorus] SSRF in Liberty, the server becomes a spy Forging outbound requests to destinations you didn't authorize WebSphere walking into traps laid by a crafty hand Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can
← Critical CVEs (2 of 3) — July 07, 2026 | IT Security News — July 07, 2026 →