Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Tika

Summary Multiple vulnerabilities in Apache Tika that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2025-54988 DESCRIPTION: Critical XXE in Apache Tika tika-parser-pdf-module in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate Account Lockout Mechanism

Summary IBM Operations Analytics – Log Analysis is affected by weaknesses in its Backend Authentication and Session Management module—used as part of its login mechanism—which exposes the product to improper authentication risks, including weak password policy enforcement and insufficient account...

Security Bulletin: IBM Security Verify Directory (Container) is affected by a vulnerability in the setuptools package (CVE-2025-47273)

Summary A vulnerability in the setuptools package used by IBM Security Verify Directory Container has been addressed Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale Management GUI and/or system health monitoring are now fixed in 5.2.3.7 or higher and 6.0.0.2 or higher

Summary The following vulnerabilities, which can affect IBM Storage Scale Management GUI and/or system health monitoring and could provide weaker-than-expected security, are now fixed in Storage Scale 5.2.3.7 or higher or 6.0.0.2 or higher. Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION:...

Security Bulletin: IBM WebSphere Application Server Liberty is affected by server-side request forgery (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty is affected by server-side request forgery with the samlWeb-2.0 feature enabled. Vulnerability Details CVEID:CVE-2026-1561 DESCRIPTION: IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery SSRF. This may allow remot...

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Validation of Specified Index, Position, or Offset in Input in zipfile (CVE-2025-8291)

Summary zipfile is used by IBM Storage Ceph. CVE-2025-8291 This bulletin identifies the steps to take to address the vulnerability in Ceph. Vulnerability Details CVEID:CVE-2025-8291 DESCRIPTION: The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory EOCD Locator...

Security Bulletin: IBM i is Affected by Use of Hard-coded Cryptographic Key, Cross-site Scripting, and Prototype Pollution Vulnerabilities in IBM WebSphere Application Server Liberty [CVE-2025-14923, CVE-2025-12635, CVE-2026-29063]

Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to providing weaker than expected security CVE-2025-14923, improper validation of user-supplied input CVE-2025-12635, and improperly controlled modification of object prototype attributes in the Immutable package...

Security Bulletin: IBM Copy Services Manager may be affected by multiple vulnerabilities due to IBM SDK Quarterly CPU - Jan 2026

Summary Multiple Vulnerabilities were disclosed as part of the JAVA SE January 2026 Patch Update. Although likelihood of these issues being exploited is very low, IBM Copy Services Manager frequently updates product stack to ensure the utmost security is maintained. Vulnerability Details Refer to...

Security Bulletin: IBM Langflow Desktop Axios Denial of Service

Summary Axios is used by IBM Langflow Desktop as part of its HTTP communication functionality in Node.js environments, enabling it to send and receive network requests to external services and APIs. A vulnerability in Axios affects how data: scheme URLs are handled by its Node.js HTTP adapter,...

Security Bulletin: IBM Langflow Desktop Symlink Validation Bypass

Summary tar-fs is used by IBM Langflow Desktop as part of its archive extraction and file handling functionality through Node.js dependencies. A vulnerability in tar-fs affects how symbolic links are validated during extraction, allowing a crafted tarball to bypass symlink protections when the...

Security Bulletin: Inefficient Regex Complexity Vulnerability in brace-expansion Library (CVE-style Security Advisory), affects watsonx.data

Summary A vulnerability in the brace-expansion library versions up to 1.1.11, 2.0.1, 3.0.0, and 4.0.0 affects the expand function, allowing specially crafted input to trigger inefficient regular expression processing. This can lead to excessive CPU usage ReDoS, potentially degrading performance...

Security Bulletin: Singlestore DB with IBM is affected by Multiple Vulnerabilities.

Summary Multiple Vulnerabilities found in Singlestore DB with IBM SingleStore Self-Managed Enterprise with IBM and SingleStore Self-Managed Standard with IBM in Version 8.9.46. Its been addressed in 8.9.47. Hence, IBM strongly recommends upgrading to 8.9.47. Vulnerability Details Refer to the...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a privilege escalation vulnerability (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a privilege escalation vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a vulnerability that could provide weaker than expected security (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a vulnerability that could provide weaker than expected security when administering security settings with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 ...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a privilege escalation vulnerability (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a privilege escalation vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a privilege escalation vulnerability (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a privilege escalation vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin:IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a vulnerability that could provide weaker than expected security (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a vulnerability that could provide weaker than expected security when administering security settings with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a vulnerability that could provide weaker than expected security (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a security vulnerability that could provide weaker than expected security when administering security settings with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0,...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability with the samlWeb-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes secti...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability with the samlWeb-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability with the samlWeb-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM Maximo Application Suite was vulnerable to CVE-2026-4820 because Cookie ltpatoken2_<workspace_name> was not set with secure flag

Summary IBM Maximo Application Suite was vulnerable to CVE-2026-4820 because Cookie ltpatoken2 was not set with secure flag Vulnerability Details CVEID:CVE-2026-4820 DESCRIPTION: IBM Maximo Application Suite does not set the secure attribute on authorization tokens or session cookies. Attackers m...

Security Bulletin: IBM HTTP Server is affected by multiple vulnerabilities due to libexpat (CVE-2026-32776, CVE-2026-32777, CVE-2026-32778)

Summary IBM HTTP Server used by IBM WebSphere Application Server is affected by multiple vulnerabilities due to libexpat. Vulnerability Details CVEID:CVE-2026-32776 DESCRIPTION: libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. CWE:CWE-476: NULL...

Security Bulletin: Vulnerabilities in Linux Kernel, MongoDB and Tomcat affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in MongoDB, Tomcat and Linux. Vulnerabilities include obtaining sensitive information, causing a denial of service condition, the elevation of privileges, remote execution of arbitrary code and bypassing security restrictions, a...

Security Bulletin: IBM Financial Transaction Manager is impacted by multiple vulnerabilities in RedHat Proxy for Kubernetes RBAC authorization

Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerabilities. Vulnerability Details CVEID:CVE-2025-47907 DESCRIPTION: Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper handling of Windows device names due to Werkzeug

Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. CVE-2025-66221 affects Werkzeug's handling of Windows device names, which could lead to improper resource handling and potential availability impact on Windows systems. This vulnerability relates to t...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to urllib3

Summary The urllib3 library is used by IBM Cloud Pak for Data System 1.0 to provide HTTP client functionality for Python applications. Multiple vulnerabilities affect urllib3. CVE-2025-66418 involves allocation of resources without limits or throttling, which could lead to resource exhaustion...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper handling of Windows device names due to Werkzeug

Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. CVE-2026-21860 affects Werkzeug's handling of Windows device names, which could lead to improper resource handling and potential availability impact on Windows systems. This vulnerability relates to t...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to urllib3

Summary The urllib3 library is used by IBM Cloud Pak for Data System 1.0 to provide HTTP client functionality for Python applications. Multiple vulnerabilities affect urllib3. CVE-2025-66418 involves allocation of resources without limits or throttling. CVE-2025-66471 and CVE-2026-21441 both rela...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to Werkzeug

Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. Multiple vulnerabilities affect Werkzeug. CVE-2024-49767 involves a resource exhaustion vulnerability in the multipart/form-data parser where a specifically crafted form submission can cause the parse...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by arbitrary code execution due to Jinja2

Summary Jinja2 is used by IBM Cloud Pak for Data System 1.0 as a template engine for generating dynamic content. CVE-2025-27516 affects Jinja2's sandboxed environment where an oversight in how the |attr filter interacts with the sandbox allows an attacker who controls template content to execute...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by open redirect vulnerabilities due to urllib3

Summary The urllib3 library is used by IBM Cloud Pak for Data System 1.0 to provide HTTP client functionality for Python applications. Multiple open redirect vulnerabilities affect urllib3. CVE-2025-50182 relates to urllib3 not controlling redirects when used in Pyodide runtime with JavaScript...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by credential disclosure due to Python Requests library

Summary The Python Requests library is used by IBM Cloud Pak for Data System 1.0 to handle HTTP communications. CVE-2024-47081 affects Requests due to a URL parsing issue that may leak .netrc credentials to third parties when processing maliciously-crafted URLs. This vulnerability could result in...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to Flask-Cors

Summary Flask-Cors is used by IBM Cloud Pak for Data System to handle Cross-Origin Resource Sharing CORS for web applications. Multiple vulnerabilities affect Flask-Cors path matching functionality. CVE-2024-6866 involves case-insensitive path matching that can allow unauthorized origins to acces...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by denial of service due to Python cryptography package

Summary The Python cryptography package is used by IBM Cloud Pak for Data System to provide cryptographic functionality. CVE-2024-0727 affects the underlying OpenSSL library used by the cryptography package. Processing a maliciously formatted PKCS12 file may cause a NULL pointer dereference in...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper validation due to Eclipse Jetty.

Summary Eclipse Jetty is used by IBM Cloud Pak for Data System CPDS as part of its web server infrastructure. CVE-2024-6763 affects Eclipse Jetty's HttpURI class, which performs insufficient validation on the authority segment of a URI. This could potentially lead to open redirect attacks or...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite - IoT Component uses assertj-core-3.27.6.jar, minimatch-3.1.2.tgz, flask-3.1.2-py3-none-any.whl and werkzeug-3.1.5-py3-none-any.whl third party dependencies which is vulnerable to CVE-2026-24400, CVE-2026-26996, CVE-2026-27205 and CVE-2026-27199. This bulletin...

Security Bulletin: IBM Content Navigator uses Apache Commons Collections resulting in multiple CVEs

Summary IBM Content Navigator is affected by CVE-2015-4852, a Deserialization of Untrusted Data vulnerability CWE-502 in Apache Commons Collections, originally identified in Oracle WebLogic Server. A remote attacker could exploit this vulnerability by sending a crafted serialized Java object over...

Security Bulletin: Multiple Vulnerabilities for EDB Cloudpack for Data CP4D 5.3.1

Summary Security Bulletin of Multiple Vulnerabilities from EDB Cloudpack for Data.CP4D 5.3.1. IBM strongly recommends addressing the vulnerability now by upgrading.to 5.3.1 Vulnerability Details CVEID:CVE-2025-58189 DESCRIPTION: When Conn.Handshake fails during ALPN negotiation the error contains...

Security Bulletin: Multiple Vulnerabilities affect IBM Tivoli Netcool Impact

Summary Multiple vulnerabilities were addressed in IBM Tivoli Netcool Impact version 7.1.0.38 Vulnerability Details CVEID:CVE-2026-29063 DESCRIPTION: Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in...

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22731 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22733 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22733 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...

Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary Multiple components with known vulnerabilities were addressed in IBM QRadar SIEM in UP15 IF01 Vulnerability Details CVEID:CVE-2025-38129 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: pagepool: Fix use-after-free in pagepoolrecycleinring syzbot reported a...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.1.1

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.1.1 Vulnerability Details CVEID:CVE-2026-22732 DESCRIPTION: When applications specify HTTP response headers for servlet applications using Spring...

Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway

Summary Security Vulnerabilities affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-33750 DESCRIPTION: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and...

Security Bulletin: Vulnerabilities in IBM Semeru SDK (CVE-2026-21945, CVE-2026-21933, CVE-2026-21925, CVE-2026-1188) affect Power HMC.

Summary The IBM Semeru SDK is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remote...

Security Bulletin: Vulnerabilities in httpd library (CVE-2025-58098, CVE-2025-65082, CVE-2025-66200) affect Power HMC.

Summary The httpd library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-58098 DESCRIPTION: Apache HTTP Server 2.4.65 and earlier with Server Side Includes SSI enabled and modcgid but not modcgi passes the shell-escape...

Security Bulletin: Vulnerability in openssl library (CVE-2025-9230) affects Power HMC.

Summary The openssl library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-9230 DESCRIPTION: Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an...

Security Bulletin: Vulnerability in net-snmp library (CVE-2025-68615) affects Power HMC.

Summary The net-snmp library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-68615 DESCRIPTION: net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet ...