Security Bulletin: Due to the use of mchange-commons-java, IBM webMethods BPM is vulnerable to malicious code execution (CVE-2026-27727).

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component mchange-commons-java. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27727 DESCRIPTION: mchange-commons-java, a...

Security Bulletin: Due to the use of c3p0, IBM webMethods BPM is vulnerable to attack via maliciously crafted Java-serialized objects (CVE-2026-27830)

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component c3p0. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0, a JDBC Connection pooling library, is...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to openid4java

Summary IBM webMethods BPM uses openid4java to implement OpenID-based authentication Vulnerability Details CVEID:CVE-2011-4314 DESCRIPTION: message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before...

Security Bulletin: Due to use of jackrabbit-spi-commons IBM webMethods BPM is vulnerable to loading privileges using unsecured document build

Summary IBM webMethods BPM is using jackrabbit-spi-commons which is affected by a known vulnerability CVE-2025-53689. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-58782 DESCRIPTION: Deserialization of Untrusted Data vulnerability i...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to rhino

Summary IBM webMethods BPM uses rhino to embed a JavaScript engine for executing internal scripts related to business logic and configuration. Vulnerability Details CVEID:CVE-2025-66453 DESCRIPTION: Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1,...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to JSON-Java

Summary IBM webMethods BPM uses JSON-Java for reading and parsing of JSON data. Vulnerability Details CVEID:CVE-2023-5072 DESCRIPTION: Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to commons-io

Summary IBM webMethods BPM uses commons-io to simplify file and stream handling operations within the application, such as reading, writing, and manipulating files and input/output streams. Vulnerability Details CVEID:CVE-2021-29425 DESCRIPTION: In Apache Commons IO before 2.7, When invoking the...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to jetty

Summary IBM webMethods BPM uses jetty to enable embedded web server capabilities within the application. Vulnerability Details CVEID:CVE-2024-6763 DESCRIPTION: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for...

Security Bulletin: Due to the use of jetty IBM webMethods BPM is vulnerable to multiple vulnerabilities

Summary IBM webMethods BPM is dependant on jetty which is affected by known vulnerabilities CVE-2019-17638, CVE-2020-27218, CVE-2021-28169, CVE-2021-34428, CVE-2022-2047, CVE-2023-26048, CVE-2023-26049, CVE-2024-13009, CVE-2024-8184 Vulnerability Details CVEID:CVE-2019-17638 DESCRIPTION: In Eclip...

Security Bulletin: Due to the use of hibernate-core. IBM webMethods BPM is vulnerable to a second-order SQL injection

Summary IBM webMethods BPM tool is dependant on hibernate-core which is affected by known vulnerability - CVE-2026-0603. Vulnerability Details CVEID:CVE-2026-0603 DESCRIPTION: A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection...

Security Bulletin: Due to use of apache.felix.webconsole, IBM webMethods BPM is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

Summary IBM webMethods BPM is using apache.felix.webconsole. Vulnerability Details CVEID:CVE-2025-25247 DESCRIPTION: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to jetty-server

Summary IBM webMethods BPM uses jetty-server as a transitive dependency brought in by the WebMethods Integration Server is-server dependency. The Integration Server runtime uses Jetty internally for its web server infrastructure. Vulnerability Details CVEID:CVE-2024-8184 DESCRIPTION: There exists...

Security Bulletin: IBM webMethods BPM is vulnerable to Out-of-bounds memory operations in org.lz4:lz4-java.

Summary IBM webMethods BPM uses lz4-java which is pulled in automatically as a dependency of webmethods event streaming library. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to kafka-clients

Summary IBM webMethods BPM uses kafka-clients.jar which is pulled in automatically as a dependency of webmethods event streaming library, Kafka-clients.jar provides Apache Kafka client APIs for producing and consuming messages. Vulnerability Details CVEID:CVE-2022-34917 DESCRIPTION: A security...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to bc-fips

Summary IBM webMethods BPM uses bc-fips which is pulled in by webMethods Integration Server core for FIPS-compliant cryptographic operations. The BPM Process Engine relies on IS infrastructure for security but doesn't directly use Bouncy Castle APIs. Vulnerability Details CVEID:CVE-2025-8885...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to log4j-core

Summary IBM webMethods BPM uses log4j-core for process instance-specific logging in the BPM Process Engine, creating individual log files for each process instance to track execution details, errors, and debugging information separately from the general system logs. Vulnerability Details...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to kotlin-stdlib

Summary IBM webMethods BPM uses kotlin-stdlib in all Kotlin-based modules to provide core Kotlin language support and runtime utilities. Vulnerability Details CVEID:CVE-2020-29582 DESCRIPTION: In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to snappy-java

Summary IBM webMethods BPM uses snappy-java which is automatically pulled in by kafka-clients as a compression codec dependency. The project doesn't directly use Snappy; it's used internally by Kafka for efficient message compression when streaming events through webmethods's event streaming...

Security Bulletin: Due to use of apache.felix.webconsole, IBM webMethods BPM is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

Summary IBM webMethods BPM is using apache.felix.webconsole. Vulnerability Details CVEID:CVE-2025-25247 DESCRIPTION: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to json-20190722.jar

Summary IBM webMethods BPM uses json-20190722.jar for reading and parsing of JSON data. Vulnerability Details CVEID:CVE-2023-5072 DESCRIPTION: Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite...