IBM WebSphere Application Server versions 8.5 and 9.0 contain a code injection vulnerability (CWE-94) that allows remote attackers to execute arbitrary code by bypassing security controls. The vulnerability is classified as critical with a CVSS 3.1 score of 9.0, reflecting its potential for complete confidentiality, integrity, and availability compromise. The vulnerability was published on June 1, 2026, but no official remediation level or patch information is currently available from IBM. This vulnerability affects on-premises deployments of WebSphere Application Server and is not related to a cloud service.

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on affected IBM WebSphere Application Server instances. This can lead to full system compromise, including unauthorized data access, modification, and denial of service. Given the critical CVSS score and the nature of the vulnerability, the impact is severe.

Patch status is not yet confirmed — check the IBM vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider applying temporary mitigations if available, such as restricting network access to the affected servers or employing Web Application Firewalls (WAFs) with rules to detect suspicious code injection attempts. Monitor IBM's security advisories closely for updates.