Security Bulletin: IBM SPSS Modeler is affected by multiple vulnerabilities disclosed in IBM Semeru Runtime.

Summary IBM SPSS Modeler is affected by multiple vulnerabilities disclosed in IBM Semeru Runtime CVE-2026-21945, CVE-2026-21933, CVE-2026-21932, CVE-2026-21925, CVE-2026-1188. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is...

Security Bulletin: IBM Operational Decision Manager for March 2026 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-41254...

Security Bulletin: Multiple Security vulnerabilities affecting IBM Knowledge Catalog Standard Cartridge

Summary Multiple security vulnerabilities impacting IBM Knowledge Catalog Standard Cartridge. These vulnerabilities had been addressed and customers should update to the recommended version of the product at the earliest opportunity. Vulnerability Details CVEID:CVE-2025-36187 DESCRIPTION: IBM...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to HTTP header injection (CVE-2025-14807)

Summary A HTTP header injection vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14807 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This coul...

Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, are bundled with WebSphere Remote Server, are affected by a denial of service due to jose4j (CVE-2024-29371)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM WebSphere Application Server and IBM WebSphere Application Server Liberty has been published in a security...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2026 CPU (CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925)

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by IBM Tivoli System Automation for Multiplatforms. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability iss...

Security Bulletin: Vulnerability in AIOHTTP bundled with IBM Fusion Content-Aware Storage.

Summary IBM Fusion Content-Aware Storage includes AIOHTTP which could allow DoS, request smuggling, logging storm attacks. The target service within Content-Aware Storage is vLLM, and this service is accessible only on the private network within kubernetes, and requires this private network acces...

Security Bulletin: IBM DevOps Build addresses multiple vulnerabilities.

Summary IBM DevOps Build 7.1.0.3 addresses multiple vulnerabilities. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service (CVE-2026-32874, CVE-2026-32875)

Summary Python module UltraJSON is used by IBM App Connect Enterprise Certified Container by the mapping assistance component. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service. This bulletin provides patch...

Security Bulletin: IBM Engineering Test Management is affected by IBM WebSphere Application Server and Liberty are affected by SMTP injection(CVE-2025-7962)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by an SMTP injection vulnerability in the Jakarta Mail library. Following IBM® Engineering Lifecycle Management products are vulnerable to this attack, and addressed in this bulletin: IBM...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses Log Forging which is vulnerable to CVE-2025-14684.

Summary IBM Maximo Application Suite - Monitor Component uses Log Forging which is vulnerable to CVE-2025-14684. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-14684 DESCRIPTION: IBM Maximo Application Suite - Monitor Component could allow an...

Security Bulletin: IBM SPSS Analytic Server is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty (CVE-2025-14914, CVE-2025-12635)

Summary IBM SPSS Analytic Server is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty CVE-2025-14914, CVE-2025-12635. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-14914 DESCRIPTION: IBM WebSphere Application Server Liberty...

Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D

Summary Multiple vulnerabilities were addressed in IBM Watsonx BI Assistant for CP4D version 5.3.1.2 Vulnerability Details CVEID:CVE-2026-26278 DESCRIPTION: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to information exposure (CVE-2026-2484)

Summary An information exposure vulnerability was addressed in IBM InfoSphere Information Server. Vulnerability Details CVEID:CVE-2026-2484 DESCRIPTION: InfoSphere Information Server is affected by an information exposure vulnerability caused by overly verbose error messages. CWE:CWE-209:...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to stored cross-site scripting (CVE-2026-2485)

Summary A stored cross-site scripting vulnerability was addressed in IBM InfoSphere Information Server. Vulnerability Details CVEID:CVE-2026-2485 DESCRIPTION: Infosphere Information Server is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2026-2483)

Summary A cross-site scripting vulnerability was addressed in IBM InfoSphere Information Server. Vulnerability Details CVEID:CVE-2026-2483 DESCRIPTION: InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the We...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in AssertJ (CVE-2026-24400)

Summary A vulnerability in AssertJ that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2026-24400 DESCRIPTION: AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine JVM. Starting in version 1.4.0 and prior to version 3.27.7, an X...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Undertow

Summary Multiple vulnerabilities in Undertow that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-3884 DESCRIPTION: A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the...

Security Bulletin: IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2026-1262)

Summary An information disclosure vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2026-1262 DESCRIPTION: IBM InfoSphere Information Server is affected by an information disclosure vulnerability. CWE:CWE-209: Generation of Error Message Containing...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to server-side request forgery (CVE-2026-1015)

Summary A server-side request forgery vulnerability was addressed in IBM InfoSphere Information Server. Vulnerability Details CVEID:CVE-2026-1015 DESCRIPTION: InfoSphere Information Server is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information (CVE-2026-1014)

Summary A sensitive information disclosure vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2026-1014 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to exposure of sensitive information via JSON server response manipulation...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in qs (parse modules) (CVE-2025-15284)

Summary A vulnerability in qs parse modules that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Log4j (CVE-2025-68161)

Summary A vulnerability in Apache Log4j that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificat...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference (CVE-2025-14974)

Summary A vulnerability due to Insecure Direct Object Reference in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14974 DESCRIPTION: IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference IDOR. CWE:CWE-639: Authorization Bypa...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in React (CVE-2018-6341)

Summary A vulnerability in React that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2018-6341 DESCRIPTION: React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to server-side request forgery (CVE-2025-14912)

Summary A server-side request forgery vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14912 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send...

Security Bulletin: IBM Security QRadar Log Management AQL Plugin is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. IBM Security QRadar Log Management AQL Plugin has addressed the applicable CVEs in an update. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of...

Security Bulletin: The Network Threat Analytics App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. Network Threat Analytics App for IBM QRadar SIEM has addressed the applicable CVEs in an update. Vulnerability Details CVEID:CVE-2023-2454 DESCRIPTION:...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to insufficient session expiration (CVE-2025-14810)

Summary A vulnerability due to insufficient session expiration in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14810 DESCRIPTION: InfoSphere Information Server does not invalidate a session after privileges have been modified which could allow an...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information (CVE-2025-14808)

Summary A sensitive information disclosure vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14808 DESCRIPTION: InfoSphere Information Server could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to disclosure of sensitive information (CVE-2025-14790)

Summary A sensitive information disclosure vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14790 DESCRIPTION: IBM InfoSphere Information Server could allow an attacker to obtain sensitive information due to insufficiently protected credential...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-12635)

Summary A vulnerability in IBM WebSphere Application Server Liberty that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site request forgery (CVE-2025-36422)

Summary A cross-site request forgery vulnerability was addressed in IBM InfoSphere Information Server. Vulnerability Details CVEID:CVE-2025-36422 DESCRIPTION: IBM InfoSphere DataStage Flow Designer is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to plaintext storage of a password (CVE-2025-36258)

Summary A vulnerability due to plaintext storage of a password was addressed in IBM InfoSphere Information Server. Vulnerability Details CVEID:CVE-2025-36258 DESCRIPTION: IBM InfoSphere Information Server product stores user credentials and other sensitive information in plain text which can be...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Lang (CVE-2025-48924)

Summary A vulnerability in Apache Commons Lang that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...

Security Bulletin: IBM WebSphere Application Server Liberty is affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063)

Summary There is a vulnerability in the immutable library which affects IBM WebSphere Application Server Liberty with the openapi-3.0, openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, mpOpenAPI-3.0 mpOpenAPI-3.1, mpOpenAPI-4.0 or mpOpenAPI-4.1 feature enabled. Vulnerability Details...

Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to various attacks due to IBM Runtime Environment Java Technology Edition Version 17

Summary IBM Java 17 is used by IBM Sterling Connect:Direct FTP+ on AIX, Linux, and Windows platforms in product configuration and data transmission. IBM Sterling Connect:Direct FTP+ on AIX, Linux, and Windows platforms is impacted by vulnerabilities in IBM Java 17. IBM Sterling Connect:Direct FTP...

Security Bulletin: Communications Server (CS) for Data Center Deployment and CS for AIX are affected by: IBM Java: Buffer overflow vulnerability in OMR allows denial-of-service

Summary Communications Server CS for Data Center Deployment and CS for AIX install a local Java JRE in its product directories. This JRE is used solely for the IBM Key Manager ikeyman tool which is called by the snakeyman script used for managing the SSL key database used by the TN3270 Server and...

Security Bulletin: Communications Server (CS) for Data Center Deployment, CS for Linux, and CS for Linux on System z are affected by: IBM Java: Buffer overflow vulnerability in OMR allows denial-of-service

Summary Communications Server CS for Data Center Deployment, CS for Linux, and CS for Linux on System z install a local Java JRE in its product directories. This JRE is used solely for the IBM Key Manager ikeyman tool which is called by the snakeyman script used for managing the SSL key database...

Security Bulletin: IBM Datapower Operations Dashboard could allow HTTP Parameter Pollution CVE-2025-7783

Summary form-data is used by the IBM Datapower Operations Dashboard for their streaming implementation Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to handshake corruption due to the crypto/tls package (CVE-2025-68121)

Summary Crypto/tls is used as part of secure encryption by DataStage on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-68121 DESCRIPTION: During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty and Expat that are shipped with IBM CICS TX Standard.

Summary Security vulnerabilities may affect IBM WebSphere Liberty and Expat that are shipped with IBM CICS TX Standard CVE-2025-14914, CVE-2022-23990, CVE-2024-28757, CVE-2025-59375 and CVE-2025-12635. IBM WebSphere Liberty and Expat have been updated within IBM CICS TX Standard to address these...

Security Bulletin: Due to the use of flatted, IBM DevOps Solution Workbench ist affected by leaking a live reference to Array.Prototype

Summary flatted is used internally within IBM DevOps Solution Workbench Vulnerability Details CVEID:CVE-2026-33228 DESCRIPTION: flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array...

Security Bulletin: IBM DevOps Release addresses multiple vulnerabilities related to Apache Tomcat.

Summary IBM DevOps Release 7.0.0.6 addresses multiple vulnerabilities related to Apache Tomcat. Vulnerability Details CVEID:CVE-2025-12383 DESCRIPTION: In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication...

Security Bulletin: A heap-based buffer overflow flaw affects CICS Transaction Gateway for Multiplatforms container (CVE-2022-0185)

Summary A heap-based buffer overflow flaw affects CICS Transaction Gateway for Multiplatforms container. CICS Transaction Gateway for Multiplatforms container has documented how to address the applicable vulnerability. Vulnerability Details CVEID:CVE-2022-0185 DESCRIPTION: A heap-based buffer...

Security Bulletin: SOAR App Host is using a component with a known vulnerability (CVE-2026-1188)

Summary IBM SOAR App Host uses an older version of the OMR component in OpenJ9 JVM that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 1.15.7.0 Vulnerability Details CVEID:CVE-2026-1188 DESCRIPTIO...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/crypto which is vulnerable to CVE-2025-47914, CVE-2025-58181

Summary IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/crypto which is vulnerable to CVE-2025-47914, CVE-2025-58181 , This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-47914 DESCRIPTION: SSH Agent...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.2.tgz which is vulnerable to CVE-2026-23950

Summary IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.2.tgz which is vulnerable to CVE-2026-23950. This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-23950 DESCRIPTION: node-tar,a Tar for Node.js, has ...

Security Bulletin: IBM Maximo Application Suite - Predict Component was using vulnerable library werkzeug-3.1.3 which is vulnerable to CVE-2025-66221

Summary IBM Maximo Application Suite - Predict Component was using vulnerable library werkzeug-3.1.3-py3-none-any.whl which is vulnerable to CVE-2025-66221. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-66221 DESCRIPTION: Werkzeug is a...

Security Bulletin: IBM Maximo Application Suite - Predict Component was using vulnerable library urllib3-2.6.2 which is vulnerable to CVE-2026-21441

Summary IBM Maximo Application Suite - Predict Component was using vulnerable library urllib3-2.6.2-py3-none-any.whl which is vulnerable to CVE-2026-21441. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP...