CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13772

highCVSS 7.5covered by 1 sourcefirst seen 2026-06-30
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

⚡ Watch CVE-2026-13772

Get an email if CVE-2026-13772 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-13772

CVE.org record

Embed the live status

CVE-2026-13772 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13772 status](https://www.csirts.com/badge/CVE-2026-13772)](https://www.csirts.com/cve/CVE-2026-13772)