Security Bulletin: Vulnerabilities in Formidable affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Formidable has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-46653 DESCRIPTION:...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in formidable

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in formidable Vulnerability Details CVEID:CVE-2025-46653 DESCRIPTION: Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in formidable-2.1.0.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in formidable-2.1.0.tgz Vulnerability Details CVEID:CVE-2025-46653 DESCRIPTION: Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for...

Security Bulletin: A vulnerability in Formidable (aka node-formidable) may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-46653)

Summary There is a vulnerability in Formidable aka node-formidable used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-46653 DESCRIPTION: Formidable aka...

CVE-2025-46653

Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." Also, there is a scenario in which only the last two characters of a hexoid string nee...

@compas/server (>=0.0.219 <=0.17.0), @eamic/server (>=1.0.1 <=1.0.3) +23 more potentially affected by CVE-2025-46653 via formidable (>=2.1.1 <=2.1.2)

formidable NPM version =2.1.1, =0.0.219, =1.0.1, =3.0.0-alpha.21, =1.0.10, =1.8.8, =0.141.0, =0.0.219, =1.13.0, =1.0.9, =1.3.15, =0.1.0, =0.21.7, =0.1.0, =1.1.0 and more Source cves: CVE-2025-46653 Source advisory: OSV:GHSA-75V8-2H7P-7M2M...

CVE-2025-46653

Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." Also, there is a scenario in which only the last two characters of a hexoid string nee...

CVE-2025-46653

Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." Also, there is a scenario in which only the last two characters of a hexoid string nee...

CVE-2025-46653

CVE-2025-46653 affects Formidable (node-formidable) 2.1.0–3.x up to 3.5.3. The issue is that it relies on hexoid to prevent filename guessing for untrusted executable content, but hexoid is not cryptographically secure, which could enable guessing of hexoid strings in some cases. The IBM security...

org.webjars.npm:angular-lock (=2.0.3), org.webjars.npm:auth0-js (>=8.4.0 <=9.28.0) +11 more potentially affected by CVE-2025-46653 via org.webjars.npm:formidable (>=1.2.2 <=2.1.2)

org.webjars.npm:formidable MAVEN version =1.2.2, =8.4.0, =4.0.0-alpha, =1.1.0, =2.1.7, =1.0.6, =3.3.1, =7.1.6 - org.webjars.npm:supertest =3.4.2 Source cves: CVE-2025-46653 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-10006768...

DEBIAN-CVE-2022-29622

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are...