Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow

Summary WebSphere Application Server Traditional is shipped as a component of IBM Business Automation Workflow. WebSphere Application Server Liberty is shipped as part of the optional components Process Federation Server since 8.5.6, and User Management Service since 18.0.0.1 in IBM Business...

Security Bulletin: CockroachDB PostgreSQL for IBM VPC is vulnerable to privilege escalation when using RESTORE SYSTEM USERS functionality (CVE-2026-9839)

Summary CockroachDB PostgreSQL for IBM VPC is vulnerable to privilege escalation when using RESTORE SYSTEM USERS functionality CVE-2026-9839 Vulnerability Details CVEID:CVE-2026-9839 DESCRIPTION: CockroachDB PostgreSQL for IBM VPC is vulnerable to privilege escalation when using RESTORE SYSTEM...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to issues in Jetty

Summary There are vulnerabilities in Jetty used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs CVE-2025-11143, CVE-2026-2332. Vulnerability Details CVEID:CVE-2025-11143 DESCRIPTION: The Jetty URI parser has...

Security Bulletin: IBM Maximo Application Suite uses WebSphere Application Server Liberty which is vulnerable to CVE-2026-3621.

Summary IBM Maximo Application Suite uses WebSphere Application Server Liberty which is vulnerable to CVE-2026-3621. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-3621 DESCRIPTION: IBM WebSphere Application Server - Liberty...

Security Bulletin: A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. (CVE-2026-4096)

Summary A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. Version 3.0.7 addresses the vulnerability. Vulnerability Details CVEID:CVE-2026-4096 DESCRIPTION: IBM DevOps Plan is vulnerable t...

Security Bulletin: IBM Verify Antenna is affected by multiple vulnerabilities (CVE-2026-33815, CVE-2026-33816, CVE-2026-41889)

Summary IBM Verify Antenna has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2026-41889 DESCRIPTION: pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string...

Security Bulletin: IBM Maximo Application Suite uses once-2.0.0.tgz which is vulnerable to CVE-2026-3449

Summary IBM Maximo Application Suite uses once-2.0.0.tgz which is vulnerable to CVE-2026-3449. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-3449 DESCRIPTION: Versions of the package @tootallnate/once before 3.0.1 are vulnerab...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite uses pytest-9.0.2-py3-none-any.whl, WebSphere Application Server Liberty, dompurify-3.2.7.tgz, requests-2.32.5-py3-none-any.whl, yaml-1.10.2.tgz, brace-expansion-1.1.12.tgz and dompurify-3.3.2.tgz which are vulnerable to CVE-2025-71176, CVE-2025-14923,...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite uses minimatch-3.0.5.tgz, OpenTelemetry Go SDK, jaraco.context, IBM WebSphere Application Server Liberty, picomatch-2.3.1.tgz, path-to-regexp-0.1.12.tgz, lodash-4.17.23.tgz, pillow-12.1.1-cp311-cp311-manylinux227x8664.manylinux228x8664.whl,...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by a remote code execution vulnerability

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by a remote code execution vulnerability CVE-2026-9319 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Product...

IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection

IBM Planning Analytics versions 2.0.0 through 2.0.8 are vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. id: CVE-2019-4716 info: name: IBM Planning Analytics - Authentication Bypass & Remote...

IBM BigFix Platform - Information Disclosure

IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication. id: CVE-2019-4061 info: name: IBM BigFix Platform -...

Joomla! Component Love Factory 1.3.4 - Local File Inclusion

A directory traversal vulnerability in the Love Factory comlovefactory component 1.3.4 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1957 info: name: Joomla! Component Love Factory 1.3.4 - Local File Inclusion...

IBM Operational Decision Manager - JNDI Injection

IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145. id: CVE-2024-22319 info: name: IBM Operational Decision Manager -...

Security Bulletin: Due to use of lodash-es-4.17.21.tgz, IBM Sterling Connect:Direct Web Services is vulnerable to prototype pollution in the _.unset and _.omit functions.

Summary lodash-es-4.17.21.tgz is used by IBM Sterling Connect:Direct Web Services CVE-2025-13465, CVE-2026-2950. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can...

CVE-2026-5516

IBM WebSphere Application Server - Liberty 22.0.0.11 through 26.0.0.5 IBM WebSphere Application Server Liberty could allow a remote attacker to bypass security under limited conditions by exploiting a specific timing window...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to April 2026 CPU

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in April 2026. These issues are also addressed by WebSphere Application Server shipped with WebSphere...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2026-44664 DESCRIPTION: fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2026-44664 DESCRIPTION: fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2026-41238 DESCRIPTION: DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a...