CVE-2026-5935: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in IBM Total Storage Service Console (TSSC) / TS4500 IMC
CVE-2026-5935 is a high-severity vulnerability in IBM Total Storage Service Console (TSSC) / TS4500 IMC versions 9. 2. 0 through 9. 6. It allows an unauthenticated attacker to execute arbitrary OS commands with normal user privileges due to improper validation of user-supplied input. The vulnerability is classified as CWE-78, OS Command Injection. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
IBM Total Storage Service Console (TSSC) / TS4500 IMC versions 9.2.0 to 9.6 contain an OS command injection vulnerability (CWE-78) identified as CVE-2026-5935. This flaw arises from improper neutralization of special elements in user input, enabling unauthenticated users to execute arbitrary commands on the underlying system with normal user privileges. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No patch or official remediation level has been published by IBM as of the current data.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary OS commands with normal user privileges on affected IBM TSSC / TS4500 IMC systems. This can lead to partial compromise of system confidentiality, integrity, and availability. However, the attacker does not gain elevated privileges beyond normal user level. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the IBM vendor advisory for current remediation guidance. Until an official fix is released, restrict network access to the affected service and monitor for suspicious activity. Do not assume the vulnerability is mitigated without vendor confirmation.
CVE-2026-5935: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in IBM Total Storage Service Console (TSSC) / TS4500 IMC
Description
CVE-2026-5935 is a high-severity vulnerability in IBM Total Storage Service Console (TSSC) / TS4500 IMC versions 9. 2. 0 through 9. 6. It allows an unauthenticated attacker to execute arbitrary OS commands with normal user privileges due to improper validation of user-supplied input. The vulnerability is classified as CWE-78, OS Command Injection. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild.
CVSS v3.1
Score 7.3high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
IBM Total Storage Service Console (TSSC) / TS4500 IMC versions 9.2.0 to 9.6 contain an OS command injection vulnerability (CWE-78) identified as CVE-2026-5935. This flaw arises from improper neutralization of special elements in user input, enabling unauthenticated users to execute arbitrary commands on the underlying system with normal user privileges. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No patch or official remediation level has been published by IBM as of the current data.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary OS commands with normal user privileges on affected IBM TSSC / TS4500 IMC systems. This can lead to partial compromise of system confidentiality, integrity, and availability. However, the attacker does not gain elevated privileges beyond normal user level. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the IBM vendor advisory for current remediation guidance. Until an official fix is released, restrict network access to the affected service and monitor for suspicious activity. Do not assume the vulnerability is mitigated without vendor confirmation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ibm
- Date Reserved
- 2026-04-09T00:42:21.168Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e95f0987115cfb681418a5
Added to database: 4/22/2026, 11:51:37 PM
Last enriched: 4/30/2026, 8:14:24 AM
Last updated: 6/7/2026, 6:52:46 AM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.