Critical CVEs (3 of 3) — July 07, 2026

edm swamp blues, blues rock american primitivism · 5:14

Listen on 93

Lyrics

[Verse 1]
July seventh, twenty-twenty-six, patch your stacks today
IBM WebSphere Liberty's got two wounds that won't go away
CVE-2026-11546, score of seven point one
Server-side request forgery when adminCenter's run
A feature called adminCenter, version one point zero switched on
And the server starts fetching whatever the attacker throws upon

[Chorus]
SSRF in Liberty, the server becomes a spy
Forging outbound requests to destinations you didn't authorize
WebSphere walking into traps laid by a crafty hand
Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can

[Verse 2]
Same product, different feature, CVE-2026-11714
CVSS eight point five — that one stings a little more
apiDiscovery enabled, version one point zero, and suddenly
An attacker puppets your server, sends it wherever they please
Liberty fetching internal targets, bouncing past your firewall gate
The discovery feature turned a helpful tool into bait

[Chorus]
SSRF in Liberty, the server becomes a spy
Forging outbound requests to destinations you didn't authorize
WebSphere walking into traps laid by a crafty hand
Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can

[Bridge]
Now IBM Business Automation Manager's got a different kind of sting
CVE-2026-13449, XML external entity thing
Score seven point six, versions nine-oh-oh through nine-four-two
You feed it crafted XML and it reads files it never should construe
Remote attackers whispering entity references in the data stream
The parser follows every pointer like it's chasing someone else's dream

[Verse 3]
Last one on the list and it deserves a spotlight all its own
CVE-2026-13772, WebSphere Extreme Scale alone
Score seven point five, the Object Query Language takes the blame
The engine calls Class dot forName on an attacker-supplied class name
Constructs whatever object they demand with zero allow-list check
Eight-six-one-oh through eight-six-one-six — your query engine is a wreck

[Chorus]
SSRF in Liberty, the server becomes a spy
Forging outbound requests to destinations you didn't authorize
WebSphere walking into traps laid by a crafty hand
Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can

[Verse 4]
Think about the intern who enabled every feature flag
Turned on adminCenter, apiDiscovery — let the server drag
Across the internal network, touching endpoints never meant to share
Metadata services, config stores, credentials hanging bare
One crafted HTTP request is all the attacker needs to send
Enable only what you use — that lesson never ends

[Chorus]
SSRF in Liberty, the server becomes a spy
Forging outbound requests to destinations you didn't authorize
WebSphere walking into traps laid by a crafty hand
Seventeen-oh-oh-oh-three through twenty-six — go patch while you still can

← Critical CVEs (2 of 3) — July 07, 2026 | IT Security News — July 07, 2026 →