CVE-2026-9035 Multiple vulnerabilities in Aspera applications.

🗓️ 27 May 2026 13:21:43Reported by ibmType

Authenticated users can read arbitrary files via asperahttpd in IBM Aspera transfers.

Reporter	Title	Published	Views	Family All 11
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Aspera applications.	22 May 202619:21	–	ibm
ATTACKERKB	CVE-2026-9035	27 May 202613:21	–	attackerkb
Circl	CVE-2026-9035	27 May 202616:33	–	circl
CNNVD	IBM Aspera High-Speed Transfer Endpoint和IBM Aspera High-Speed Transfer Server 路径遍历漏洞	27 May 202600:00	–	cnnvd
CVE	CVE-2026-9035	27 May 202613:21	–	cve
EUVD	EUVD-2026-32503	27 May 202613:21	–	euvd
NCSC	Vulnerabilities present in IBM Aspera High-Speed Transfer Endpoint and Server	8 Jun 202608:31	–	ncsc
NVD	CVE-2026-9035	27 May 202614:17	–	nvd
Positive Technologies	PT-2026-43991	27 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-9035	5 Jun 202619:34	–	redhatcve

[
  {
    "vendor": "IBM",
    "product": "Aspera High-Speed Transfer Endpoint",
    "versions": [
      {
        "status": "affected",
        "version": "3.7.4",
        "lessThanOrEqual": "4.4.7 Fix Pack 1",
        "versionType": "semver"
      }
    ],
    "cpes": [
      "cpe:2.3:a:ibm:aspera_high_speed_transfer_endpoint:3.7.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:aspera_high_speed_transfer_endpoint:4.4.7:*:*:*:*:*:*:*"
    ]
  },
  {
    "vendor": "IBM",
    "product": "Aspera High-Speed Transfer Server",
    "versions": [
      {
        "status": "affected",
        "version": "3.7.4",
        "lessThanOrEqual": "4.4.7 Fix Pack 1",
        "versionType": "semver"
      }
    ],
    "cpes": [
      "cpe:2.3:a:ibm:aspera_high_speed_transfer_server:3.7.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:aspera_high_speed_transfer_server:4.4.7:*:*:*:*:*:*:*"
    ]
  }
]

Source	Link
ibm	www.ibm.com/support/pages/node/7273615

27 May 2026 13:21Current

CVSS 3.16.5

EPSS0.00048

CWE-22