Security Bulletin: IBM i is Affected By A Cross-Site Scripting Vulnerability in Navigator for i [CVE-2026-0540]

Summary Navigator for IBM i uses the Monaco editor to edit config files. The Monaco editor uses DOMPurify to sanitize the HyperText Markup Language HTML in the editor. DOMPurify is vulnerable to improper neutralization of input by using rawtext elements missing from the SAFEFORXML regex...

Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting and cross-site request forgery due to Angular [CVE-2025-66412, CVE-2026-22610, CVE-2025-66035]

Summary The IBM Db2 Mirror for i GUI uses the Angular web framework. The version of Angular used by IBM Db2 Mirror for i is vulnerable to cross-site scripting and cross-site request forgery as described in the vulnerability details section. IBM has addressed the vulnerabilities for IBM Db2 Mirror...

Security Bulletin: IBM i is affected by Cross-Site Request Forgery and Cross-Site Scripting in Digital Certificate Manager and Navigator for i [CVE-2025-66035, CVE-2025-66412, CVE-2026-22610]

Summary IBM i Digital Certificate Manager DCM and Navigator for i are vulnerable to Cross-Site Request Forgery XSRF token leakage via protocol-relative URLs in angular HTTP clients CVE-2025-66035 and Cross-Site Scripting XSS via the compiler's internal security schema being incomplete...

Security Bulletin: IBM i is affected by a cross-site scripting vulnerability in Navigator for i [CVE-2024-47875]

Summary Navigator for IBM i is vulnerable to cross-site scripting when using the browser editor CVE-2024-47875 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2024-47875 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, Math...

EUVD-2019-14143

Malware in sbrugna...

EUVD-2022-46830

Malicious code in bioql PyPI...

EUVD-2024-45780

Malicious code in bioql PyPI...

CVE-2025-36119

The CVE-2025-36119 issue affects IBM i 7.3–7.6 (DCM for i) and is caused by a web session hijacking vulnerability that lets an authenticated user without admin privileges perform actions as an administrator. IBM has published remediation via PTFs, with fixes included in IBM i Release 7.3–7.6 unde...

CVE-2025-36117

IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system...

Security Bulletin: IBM Rational Developer for i is affected by an unspecified Java runtime encryption vulnerability (CVE-2025-21587).

Summary IBM Rational Developer for i is affected by an unspecified Java runtime encryption vulnerability. IBM Rational Developer for i has addressed the vulnerability with a fix as described in the remediation/fixes section. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified...

CVE-2024-31870

IBM Db2 for i 7.2, 7.3, 7.4, and 7.5 supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related USRPRF objects. This can be used by a malicious actor to gather information about users that can be targeted in...

CVE-2024-51464

IBM i 7.3, 7.4, and 7.5 is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i...

CVE-2022-43860

IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information they are authorized to but not while using this interface. By performing an SQL injection an attacker could see user profile attributes through this interface. IBM X-Force ID: 239305...

CVE-2022-43859

IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface. IBM X-Force ID:...

CVE-2022-43857

IBM Navigator for i 7.3, 7.4 and 7.5 could allow an authenticated user to access IBM Navigator for i log files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks and download log files by modifying servlet filter. IBM X-Force I...

CVE-2025-2950

IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address which may lead to unexpected behavior...

CVE-2025-2950

IBM i (versions 7.3, 7.4, 7.5, and 7.6) is affected by a host header injection vulnerability due to improper neutralization of HTTP header content in IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to alter the domain/IP, potentially causing unexpected b...

PT-2025-17301 · Ibm · Ibm I +1

Name of the Vulnerable Software and Affected Versions: IBM i versions 7.3 through 7.5 Description: The issue is caused by improper neutralization of HTTP header content by IBM Navigator for i, allowing an authenticated user to manipulate the host header in HTTP requests. This can lead to changing...

Security Bulletin: Multiple vulnerabilities in IBM Rational Developer for i (CVE-2024-47554, CVE-2024-45801)

Summary IBM Rational Developer for i contains Code Coverage functionality that is affected by the following two issues. CVE-2024-47554 is a denial of service attack in the Code Coverage PDF Exporter function. CVE-2024-45801 is a remote execution attack in the Code Coverage Reports function. This...

Security Bulletin: IBM Rational Developer for i is vulnerable to a buffer overflow attack (CVE-2024-47072)

Summary IBM Rational Developer for i contains functionality that is affected by the following issue. CVE-2024-47072 is a denial of service attack in the Debugger XML profile serialization function. This bulletin identifies the steps to take to address this vulnerability as described in the...