Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in WebSphere Application Server Liberty

Summary IBM Watson Discovery Cartridge affected by vulnerability in WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2024-29371 DESCRIPTION: In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token wi...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in minimatch-3.1.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in minimatch-3.1.2.tgz Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in addressable-2.5.2.gem

Summary IBM Watson Discovery Cartridge affected by vulnerability in addressable-2.5.2.gem Vulnerability Details CVEID:CVE-2026-35611 DESCRIPTION: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in IBM SDK Java Technology Edition Quarterly CPU

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in IBM SDK Java Technology Edition Quarterly CPU Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remote...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in keras-3.13.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in keras-3.13.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-1669 DESCRIPTION: Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in picomatch-2.3.1.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in picomatch-2.3.1.tgz Vulnerability Details CVEID:CVE-2026-33671 DESCRIPTION: Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service ReDoS...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in pypdf-6.6.0-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in pypdf-6.6.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-24688 DESCRIPTION: pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior t...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in pypdf-6.5.0-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in pypdf-6.5.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-22690 DESCRIPTION: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object wit...

Security Bulletin: IBM MQ is affected by weaker than expected security in IBM WebSphere Application Server Liberty (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2025-14917 Vulnerability Details CVEID:CVE-2025-14917 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application...

Security Bulletin: IBM MQ is affected by multiple Java vulnerabilities (CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925)

Summary Multiple issues were identified with the IBM Runtime Environment, Java Technology Edition which is shipped with IBM MQ Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an...

Security Bulletin: IBM MQ is affected by a server-side request forgery vulnerability in IBM WebSphere Application Server Liberty (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2026-1561 Vulnerability Details CVEID:CVE-2026-1561 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application...

Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-14914)

Summary A remote code execution vulnerability was identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality CVE-2025-14914 Vulnerability Details CVEID:CVE-2025-14914 DESCRIPTION: IBM WebSphere Application Server...

Security Bulletin: IBM MQ is vulnerable to a password disclosure vulnerability (CVE-2026-2607)

Summary IBM MQ has addressed a password disclosure vulnerability CVE-2026-2607 Vulnerability Details CVEID:CVE-2026-2607 DESCRIPTION: IBM MQ stores potentially sensitive information in log files that could be read by a local user. CWE:CWE-532: Insertion of Sensitive Information into Log File CVSS...

Security Bulletin: IBM MQ is affected by a denial of service vulnerability in IBM WebSphere Application Server Liberty (CVE-2024-29371)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2024-29371 Vulnerability Details CVEID:CVE-2024-29371 DESCRIPTION: In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a...

Security Bulletin: IBM MQ is affected by a privilege escalation vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2025-14915 Vulnerability Details CVEID:CVE-2025-14915 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application...

Security Bulletin: Vulnerabilities have been identified in IBM® SDK, Java™ Technology Edition shipped with IBM Buinses Automation Workflow due to the April 2026 Java CPU

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about security vulnerabilities in IBM® SDK, Java™ Technology Edition affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability...

Security Bulletin: IBM MQ Appliance is affected by mulitple open source vulnerabilities (CVE-2026-23193, CVE-2026-23231, CVE-2026-3497)

Summary IBM MQ Appliance has addressed multiple open source vulnerabilities. Vulnerability Details CVEID:CVE-2026-23193 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsitdecsessionusagecount In...

Security Bulletin: IBM MQ Appliance is affected by an integer overflow (CVE-2022-50865)

Summary IBM MQ Appliance has addressed an integer overflow. Vulnerability Details CVEID:CVE-2022-50865 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcpaddbacklog The type of skrcvbuf and sksndbuf in struct sock is int,...

Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2026-21945)

Summary IBM MQ Appliance has addressed a denial of service vulnerability. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remote attacker to cause a hang or repeatable crash of...

Security Bulletin: IBM MQ Appliance is affected by a default password vulnerability (CVE-2025-14917)

Summary IBM MQ Appliance has addressed a default password vulnerability. Vulnerability Details CVEID:CVE-2025-14917 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when...

Security Bulletin: IBM Maximo Scheduler Optimizer uses lodash-4.17.23.tgz which is vulnerable to CVE-2026-2950, CVE-2026-4800

Summary IBM Maximo Scheduler Optimizer uses lodash-4.17.23.tgz which is vulnerable to CVE-2026-2950, CVE-2026-4800. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-2950 DESCRIPTION: Impact: Lodash versions 4.17.23 and earlier ar...

Security Bulletin: IBM Maximo Scheduler Optimizer uses cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl which is vulnerable to CVE-2026-34073

Summary IBM Maximo Scheduler Optimizer uses cryptography-46.0.5-cp311-abi3-manylinux234x8664.whl which is vulnerable to CVE-2026-34073. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-34073 DESCRIPTION: cryptography is a package...

Security Bulletin: IBM Maximo Scheduler Optimizer uses brace-expansion-1.1.11.tgz which is vulnerable to CVE-2026-33750

Summary IBM Maximo Scheduler Optimizer uses brace-expansion-1.1.11.tgz which is vulnerable to CVE-2026-33750. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-33750 DESCRIPTION: The brace-expansion library generates arbitrary...

Security Bulletin: IBM Maximo Scheduler Optimizer uses requests-2.32.5-py3-none-any.whl which is vulnerable to CVE-2026-25645

Summary IBM Maximo Scheduler Optimizer uses requests-2.32.5-py3-none-any.whl which is vulnerable to CVE-2026-25645. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-25645 DESCRIPTION: Requests is a HTTP library. Prior to version...

Security Bulletin: IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199

Summary IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web applicati...

Security Bulletin: IBM Maximo Scheduler Optimizer uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205

Summary IBM Maximo Scheduler Optimizer uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-27205 DESCRIPTION: Flask is a web server gateway interface WSGI web...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite - IoT Component uses cryptography-46.0.5-cp311-abi3-manylinux234x8664.whl, cryptography-46.0.6-cp311-abi3-manylinux234x8664.whl, pyasn1-0.6.2-py3-none-any.whl, requests-2.32.5-py3-none-any.whl, bcprov-jdk18on-1.83.jar, pygments-2.19.2-py3-none-any.whl,...

Security Bulletin: IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996

Summary IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a minimal matching utility for converting glo...

Security Bulletin: IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904

Summary IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a minimal...

Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates

Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 12.0.23 LTS and 13.1.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported vulnerabilities...

Security Bulletin: IBM App Connect Enterprise Certified Container backup and restore is vulnerable to authorization bypass (CVE-2026-33186)

Summary gRPC-Go is used by the IBM App Connect Enterprise Certified Container Velero image. IBM App Connect Enterprise Certified Container deployments that use Velero for backup and restore are vulnerable to authorization bypass. This bulletin provides patch information to address the reported...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality (CVE-2025-62718)

Summary Node.js module axios is used by IBM App Connect Enterprise Certified Container for HTTP communications. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution (CVE-2026-33937, CVE-2026-33938, CVE-2026-33940, CVE-2026-33941) and denial of service (CVE-2026-33939)

Summary Node.js module handlebars is used by all IBM App Connect Enterprise Certified Container operands. IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution CVE-2026-33937, CVE-2026-33938, CVE-2026-33940, CVE-2026-33941 and denial of service...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring and Dashboard operands are vulnerable to loss of confidentiality (CVE-2026-39892, CVE-2026-34073) and arbitrary code execution (CVE-2026-40087)

Summary IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to loss of confidentiality CVE-2026-39892, CVE-2026-34073. Dashboard operands that use the App Connect Enterprise Agent are vulnerable to arbitrary code execution...

Security Bulletin: IBM Content Navigator is affected by Log4J 1.2.14

Summary IBM Content Navigator is affected by multiple vulnerabilities in Apache Log4j 1.x, a logging library that reached end of life in August 2015. These include multiple Deserialization of Untrusted Data flaws in components such as SocketServer, JMSAppender, JMSSink, and Chainsaw, the most...

Security Bulletin: IBM Maximo Scheduler Optimizer uses cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.wh which is vulnerable to CVE-2026-34073

Summary IBM Maximo Scheduler Optimizer uses cryptography-46.0.5-cp311-abi3-manylinux234x8664.wh which is vulnerable to CVE-2026-34073. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-34073 DESCRIPTION: cryptography is a package...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.317 Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option ...

Security Bulletin: Multiple security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced (CVE-2026-1561, CVE-2025-14923, CVE-2025-14917, CVE-2026-29063, CVE-2025-14915).

Summary Multiple security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced CVE-2026-1561, CVE-2025-14923, CVE-2025-14917, CVE-2026-29063, CVE-2025-14915. IBM WebSphere Liberty has been updated within IBM CICS TX Advanced to address these vulnerabilities...

Security Bulletin: Multiple security vulnerabilities may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms (CVE-2025-14915, CVE-2025-14917, CVE-2025-14923, CVE-2026-1561, CVE-2026-29063).

Summary Multiple security vulnerabilities may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms CVE-2025-14915, CVE-2025-14917, CVE-2025-14923, CVE-2026-1561, CVE-2026-29063. IBM WebSphere Liberty has been updated within TXSeries for Multiplatforms to address these...

Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench

Summary Multiple vulnerabilities were addressed in IBM DevOps Solution Workbench version 5.1.2 Vulnerability Details CVEID:CVE-2026-6951 DESCRIPTION: Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution RCE due to an incomplete fix for CVE-2022-25912 that block...

Security Bulletin: IBM Maximo Application Suite - Predict Component was affected by SMTP injection due to Jakarta Mail which was vulnerable to CVE-2025-7962

Summary IBM Maximo Application Suite - Predict Component was was affected by SMTP injection due to Jakarta Mail which was vulnerable to CVE-2025-7962. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-7962 DESCRIPTION: In Jakarta Mail 2.0.2 it i...

Security Bulletin: IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting.

Summary IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting CVE-2025-36148. Vulnerability Details CVEID:CVE-2025-36148 DESCRIPTION: IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a confidential disclosure (CVE-2026-5515)

Summary Users of WS-Security with java 17 in IBM App Connect Enterprise are vulnerable to a confidential disclosure. Vulnerability Details CVEID:CVE-2026-5515 DESCRIPTION: IBM App Connect Enterprise stores potentially sensitive information in log files that could be read by a local user. CVSS...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by Information disclosure due to default passwords not being forced to be changed on post-installation

Summary The default password is used by IBM Operations Analytics - Log Analysis as part of the authentication to the Log Analysis User Interface. CVE-2026-7365. Vulnerability Details CVEID:CVE-2026-7365 DESCRIPTION: IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords...

Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality (CVE-2026-25679)

Summary IBM App Connect Enterprise Certified Container operator and DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Golang module url.Parse...

Security Bulletin: Improper Hostname Normalization in Axios Enables NO_PROXY Bypass and SSRF Attacks

Summary Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching an...

Security Bulletin: Vulnerabilities exists in IBM Netezza Analytics for NPS

Summary Vulnerabilities exists in IBM Netezza Analytics for NPS addressed in 11.2.30. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, an...

Security Bulletin: Vulnerabilities exists in IBM Netezza Performance Server Replication Services

Summary Vulnerabilities exists in IBM Netezza Performance Server Replication Services are addressed in 3.0.5.1 Vulnerability Details CVEID:CVE-2026-3623 DESCRIPTION: IBM Netezza Performance Server Replication Services allows an attacker with low‑privileged access to escalate their privileges to...

Security Bulletin: Vulnerability in jetty affects IBM Netezza Appliance

Summary The jetty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2024-6763 Vulnerability Details CVEID:CVE-2023-24056 DESCRIPTION: In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in...

Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2026-27448 DESCRIPTION: pyOpenSSL is a Python wrappe...