Vulnerability Details CVE-2026-13759
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 22.1%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-13759
-
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0
-
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.1
-
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.2
-
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.3
-
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.4