CVE-2016-2923: IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the
infovulnerability
security
Summary
IBM WebSphere Application Server (WAS) versions 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 has a security flaw where the HTTPOnly flag is missing from Set-Cookie headers for a JAX-RS API cookie. The HTTPOnly flag (a security setting that prevents scripts from accessing cookies) is absent, making it easier for attackers to steal sensitive cookie data through script-based attacks.
Solution / Mitigation
Update to IBM WebSphere Application Server Liberty Fix Pack 16.0.0.2 or later.
Vulnerability Details
CVSS Score
5
EPSS (30-day exploit probability)
EPSS: 0.3%
Classification
Attack SophisticationTrivial
Original source: https://nvd.nist.gov/vuln/detail/CVE-2016-2923
First tracked: February 15, 2026 at 08:43 PM
Classified by LLM (prompt v3) · confidence: 95%