CVE-2025-36126 Overview
CVE-2025-36126 is a stored cross-site scripting (XSS) vulnerability affecting IBM Cognos Analytics and IBM Cognos Transformer. The flaw resides in the Cognos Administration Web UI and allows a privileged user to embed arbitrary JavaScript that executes within other users' trusted sessions. Affected versions include IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0, as well as IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0. Successful exploitation can alter intended application functionality and lead to credential disclosure. The issue is tracked under CWE-79, Improper Neutralization of Input During Web Page Generation.
Critical Impact
A privileged attacker can inject persistent JavaScript into the Cognos Administration interface, enabling theft of session credentials and manipulation of administrative workflows for any user who views the affected page.
Affected Products
- IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0
- IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0
- Cognos Administration Web UI component
Discovery Timeline
- 2026-05-26 - CVE-2025-36126 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2025-36126
Vulnerability Analysis
The vulnerability is a stored XSS flaw in the Cognos Administration component of IBM Cognos Analytics and IBM Cognos Transformer. The application accepts input from privileged users and persists that input without sufficient output encoding or sanitization. When other users load the affected administrative pages, the stored payload executes as JavaScript in the browser context of the Cognos Web UI.
Because the script executes inside an authenticated, trusted session, it inherits the privileges of the viewing user. An attacker can use this to read DOM contents, exfiltrate session tokens, capture credentials entered into the interface, or invoke administrative actions on behalf of the victim. The scope change reflected in the vector indicates the injected content can affect resources beyond the originally vulnerable component.
Root Cause
The root cause is improper neutralization of user-supplied input during web page generation [CWE-79]. Input submitted through the Cognos Administration interface is stored server-side and later rendered into HTML responses without context-appropriate encoding. JavaScript inserted into affected fields therefore executes when the page is rendered to other users.
Attack Vector
Exploitation requires an authenticated, privileged Cognos user. The attacker submits a crafted payload through an input field in Cognos Administration that is not properly sanitized. The payload persists in the Cognos configuration data. When an administrator or other user with access to that view loads the page, the browser parses and executes the embedded script under the origin of the Cognos application. No user interaction beyond normal navigation to the affected page is required to trigger execution.
No verified public proof-of-concept is available. Refer to the IBM Support Page for vendor-supplied technical details.
Detection Methods for CVE-2025-36126
Indicators of Compromise
- Unexpected <script> tags, event handlers, or encoded JavaScript stored in Cognos Administration configuration fields, labels, or descriptive text.
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after loading Cognos Administration pages.
- Anomalous session token reuse from IP addresses or user agents that differ from the legitimate administrator session.
Detection Strategies
- Review Cognos audit logs for changes to administration objects made by privileged accounts, focusing on fields that accept free-form text.
- Inspect HTTP responses served by Cognos Administration endpoints for unexpected script content using a proxy or web application firewall in monitoring mode.
- Correlate administrative configuration changes with subsequent browser-originated requests to external hosts to identify possible data exfiltration.
Monitoring Recommendations
- Enable verbose audit logging for the Cognos Administration component and forward logs to a centralized SIEM for retention and analysis.
- Alert on creation or modification of administration objects by accounts that do not typically perform configuration changes.
- Monitor browser security telemetry from administrator workstations for Content Security Policy violations originating from Cognos hostnames.
How to Mitigate CVE-2025-36126
Immediate Actions Required
- Apply the security update referenced in the IBM Support Page for the affected Cognos Analytics and Cognos Transformer versions.
- Audit existing Cognos Administration content for stored script payloads and remove any unauthorized entries before patching is complete.
- Restrict privileged Cognos administration roles to the minimum set of users required for operations.
Patch Information
IBM has published remediation guidance and fixes through the vendor advisory. Consult the IBM Support Page for version-specific patch availability covering Cognos Analytics 11.2.0, 12.0, and 12.1.0, and Cognos Transformer 11.2.4, 12.0, and 12.1.0.
Workarounds
- Limit access to Cognos Administration to a small set of trusted administrators until patches are applied.
- Require administrators to access Cognos Administration only from hardened workstations with up-to-date browsers and script-blocking controls.
- Implement or strengthen a Content Security Policy on the Cognos web tier to reduce the impact of injected inline scripts.
# Configuration example
# Example Content Security Policy header to restrict inline scripts on the Cognos web tier
# Apply at the reverse proxy or web server fronting Cognos Analytics
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
