CVE-2025-14289 - Vulnerability Details - OpenCVE

IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Ibm	Webmethods Integration Server

No data.

No data.

No data.

References

Link	Providers
https://www.ibm.com/support/pages/node/7260932

History

Tue, 17 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Title		IBM webMethods Integration Server is vulnerable to HTML injection
First Time appeared		Ibm Ibm webmethods Integration Server
Weaknesses		CWE-80
CPEs		cpe:2.3:a:ibm:webmethods_integration_server:12.0:::::::*
Vendors & Products		Ibm Ibm webmethods Integration Server
References		https://www.ibm.com/support/pages/node/7260932
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-02-17T20:13:22.523Z

Updated: 2026-02-17T21:08:20.351Z

Reserved: 2025-12-08T19:17:32.509Z

Link: CVE-2025-14289

Vulnrichment

Updated: 2026-02-17T21:08:17.608Z

NVD

Status : Received

Published: 2026-02-17T21:22:14.067

Modified: 2026-02-17T21:22:14.067

Link: CVE-2025-14289

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14289", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-12-08T19:17:32.509Z", "datePublished": "2026-02-17T20:13:22.523Z", "dateUpdated": "2026-02-17T21:08:20.351Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:webmethods_integration_server:12.0:*:*:*:*:*:*:*"], "product": "webMethods Integration Server", "vendor": "IBM", "versions": [{"status": "affected", "version": "12.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.</p>"}], "value": "IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting\u00a0site."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-02-17T20:16:20.700Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7260932"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now by moving to IBM webMethods Integration Server 12.1 version.</p>"}], "value": "IBM strongly recommends addressing the vulnerability now by moving to IBM webMethods Integration Server 12.1 version."}], "title": "IBM webMethods Integration Server is vulnerable to HTML injection", "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T21:08:14.676211Z", "id": "CVE-2025-14289", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T21:08:20.351Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14289", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-12-08T19:17:32.509Z", "datePublished": "2026-02-17T20:13:22.523Z", "dateUpdated": "2026-02-17T21:08:20.351Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:webmethods_integration_server:12.0:*:*:*:*:*:*:*"], "product": "webMethods Integration Server", "vendor": "IBM", "versions": [{"status": "affected", "version": "12.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.</p>"}], "value": "IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting\u00a0site."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-02-17T20:16:20.700Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7260932"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now by moving to IBM webMethods Integration Server 12.1 version.</p>"}], "value": "IBM strongly recommends addressing the vulnerability now by moving to IBM webMethods Integration Server 12.1 version."}], "title": "IBM webMethods Integration Server is vulnerable to HTML injection", "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14289", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T21:08:14.676211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T21:08:17.608Z"}}]}}