Your extensions leak clues about you, so we made sure Browser Guard doesn’t

Did you know you can be profiled based on the browser extensions you use? Advertisers can detect which extensions are installed and use that to build a picture of the kind of user you are. For instance, do you pride yourself on being a good online shopper who never pays full price? Maybe you use ...

Security Bulletin: Security vulnerability has been detected in IBM Security Verify Directory (Container) (CVE-2025-36074)

Summary Security vulnerability has been addressed in IBM Security Verify Directory Container Vulnerability Details CVEID:CVE-2025-36074 DESCRIPTION: IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious fil...

Security Bulletin: Vulnerability in form-data might affect IBM Storage Defender Sentinel Anomaly Scan Engine.

Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by a vulnerability in form-data. Vulnerabilities include the use of insufficiently random values allowing HTTP Parameter Pollution HPP. More details are described by the CVEs in the "Vulnerability Details" section...

Security Bulletin: Security vulnerability was found in IBM WebSphere Application Server provided with IBM Security Verify Directory (CVE-2025-7962)

Summary Security vulnerability was addressed in WebSphere Application Server provided with IBM Security Verify Directory Vulnerability Details CVEID:CVE-2025-7962 DESCRIPTION: In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate...

Security Bulletin: Security vulnerability was found in IBM Security Directory Integrator (CVE-2024-28765)

Summary Security vulnerability has been addressed in the IBM Security Directory Integrator Vulnerability Details CVEID:CVE-2024-28765 DESCRIPTION: IBM Security Directory Integrator could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in...

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

The Russian threat actor known as APT28 aka Forest Blizzard and Pawn Storm has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. "PRISMEX combines advanced steganography, component object model COM...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the jsdiff JavaScript library

Summary Due to use of the jsdiff JavaScript library, DevOps Test Performance and Rational Performance Tester contain a potential denial of service DoS vulnerability. Vulnerability Details CVEID:CVE-2026-24001 DESCRIPTION: jsdiff is a JavaScript text differencing implementation. Prior to versions...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the lodash JavaScript library

Summary Due to use of the lodash JavaScript library, DevOps Test Performance and Rational Performance Tester contain a potential denial of service DoS vulnerability. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution...

Security Bulletin: Due to the use of WebSphere Application Server Liberty, IBM Tivoli Application Dependency Discovery Manager is vulnerable to cross-site scripting and arbitrary code execution

Summary IBM Tivoli Application Dependency Discovery Manager bundles WebSphere Application Server Liberty, vulnerabilities have been remediated in an efix Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty...

Security Bulletin: Certificate Name Constraints Bypass via Wildcard SANs affects watsonx.data

Summary Improper enforcement of certificate name constraints allows wildcard SANs e.g., .example.com to bypass excluded subdomain restrictions e.g., test.example.com, potentially enabling unauthorized certificate usage.This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-61727...

Security Bulletin: Expr Built-in Functions Recursion DoS Vulnerability (Fixed in v1.17.7) affects watsonx.data

Summary Expr prior to v1.17.7 is vulnerable to a Denial-of-Service DoS due to unbounded recursion in certain built-in functions, which can cause stack overflow and application crashes when processing deeply nested or cyclic data. Fixed in v1.17.7. This can affect watsonx.data. Vulnerability Detai...

Security Bulletin: Fulcio OIDC Token Parsing DoS Vulnerability in extractIssuerURL affects watsonx.data

Summary ulcio prior to 1.8.3 is vulnerable to a Denial-of-Service DoS issue where malicious OIDC tokens containing excessive period characters can trigger high memory allocation during parsing. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-66506 DESCRIPTION: Fulcio is a...

Security Bulletin: jose4j JWE Decompression DoS Vulnerability (Fixed in 0.9.6), affects watsonx.data

Summary n jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time...

Security Bulletin: MCP Python SDK DNS Rebinding Vulnerability in HTTP Servers (Fixed in 1.23.0) affects watsonx.data

Summary The MCP Python SDK mcp prior to 1.23.0 did not enable DNS rebinding protection by default for HTTP-based servers. This could allow a malicious website to bypass same-origin policies and send requests to a local MCP server running without authentication. This can affect watsonx.data...

Security Bulletin: LangChain Serialization Injection Vulnerability in dumps()/dumpd() (Fixed in 0.3.81 / 1.2.5) affects watsonx.data

Summary A serialization injection vulnerability in LangChain's dumps and dumpd functions pre-0.3.81 / 1.2.5 allows user-controlled data with 'lc' keys to be deserialized as objects. This issue is fixed in versions 0.3.81 and 1.2.5. This can affect watsonx.data. Vulnerability Details...

Security Bulletin: Cross-Site Scripting (XSS) Vulnerability in OWASP Java HTML Sanitizer via HtmlPolicyBuilder noscript/style Tags (v20240325.1), affects watsonx.data

Summary A vulnerability in OWASP Java HTML Sanitizer v20240325.1 allows Cross-Site Scripting XSS when HtmlPolicyBuilder permits noscript or style tags with allowTextIn. Unsanitized CSS or unexpected tags can be exploited by attackers. No patch is available at the time of this publication. This ca...

Security Bulletin: Session Cookie Exposure via Improper Cache Handling in Flask (≤ v2.3.1, ≤ v2.2.4), affects watsonx.data

Summary A vulnerability in Flask ≤ v2.3.1, ≤ v2.2.4 can cause session cookies to be exposed when responses are cached by a proxy. This occurs if sessions are permanent but not accessed during a request, combined with default cache settings. The issue is fixed in versions 2.3.2 and 2.2.5. This can...

Security Bulletin: Due to the use of Apache Tomcat and mchange-commons-java, IBM ApplinX is vulnerable to Improper Input Validation vulnerablities (CVE-2025-66614, CVE-2026-24733, CVE-2026-24734) and an 'Injection' vulnerability (CVE-2026-27727).

Summary Due to the use of Apache Tomcat and mchange-commons-java, IBM ApplinX is vulnerable to Improper Input Validation vulnerablities CVE-2025-66614, CVE-2026-24733, CVE-2026-24734 and an Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection'...

Security Bulletin: Log Injection Vulnerability in orydolphin/flask-cors (Debug Logging) affects watsonx.data

Summary A vulnerability in orydolphin/flask-cors allows attackers to inject malicious log entries when debug logging is enabled. By sending specially crafted requests containing CRLF sequences, an attacker can corrupt or forge log entries, potentially obscuring other attacks or disrupting log...

Security Bulletin: Improper Unicode Handling in validator isLength() Leads to Input Length Bypass (Pre-13.15.22) affects watsonx.data

Summary Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string...