Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by a vulnerability in Next.js (CVE-2025-48068)

Summary A vulnerability involving cross-site WebSocket hijacking in the Next.js framework CVE-2025-48068 used by IBM InfoSphere Optim Archive Viewer has been addressed by upgrading to version 15.5.15. Vulnerability Details CVEID:CVE-2025-48068 DESCRIPTION: Next.js is a React framework for buildin...

Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by a vulnerability in Next.js (CVE-2025-57752 and CVE-2025-55173)

Summary The vulnerabilities CVE-2025-57752 Cache Key Confusion / Cache Deception and CVE-2025-55173 Content Injection / Arbitrary File Delivery in the Next.js framework have been completely resolved by upgrading the dependency from version 14.2.26 to 15.5.15. Vulnerability Details...

Security Bulletin: Multiple Vulnerabilities in IBM Aspera Enterprise WebApps

Summary Multiple Vulnerabilities Addressed in IBM Aspera Enterprise WebApps Version 1.0.3 Vulnerability Details CVEID:CVE-2026-42033 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any...

Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition shipped with IBM Tivoli Monitoring.

Summary Multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring ITM components. CVE-2026-22016, CVE-2026-22021, CVE-2026-22013, CVE-2026-22018, CVE-2026-34268 and CVE-2026-22007 Vulnerability Details CVEID:CVE-2026-22016 DESCRIPTION:...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth Remote Code Execution

Summary Server Post-Auth Remote Code Execution RCE vulnerability has been identified in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2026-4051 DESCRIPTION: IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass

Summary Authentication bypass vulnerability has been identified in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2026-3660 DESCRIPTION: IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external entity injection (XXE) attack

Summary XML external entity injection XXE vulnerability has been identified in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2026-3603 DESCRIPTION: IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001...

Security Bulletin: Multiple Vulnerabilities in IBM Aspera Enterprise WebApps

Summary Multiple Vulnerabilities Addressed in IBM Aspera Enterprise WebApps Version 1.0.3 Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization wh...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by denial of service (DoS) due to Apache Commons FileUpload

Summary Apache Commons FileUpload in WebSphere Application Server Liberty is used by IBM Operations Analytics - Log Analysis as part of the parse and process HTTP requests for handling file uploads. CVE-2023-24998. Vulnerability Details CVEID:CVE-2023-24998 DESCRIPTION: Apache Commons FileUpload...

Security Bulletin: Multiple Vulnerabilities in IBM Edge Application Manager

Summary Multiple vulnerabilities were addressed in IBM Edge Application Manager 5.0.4 Vulnerability Details CVEID:CVE-2026-42033 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency...

Security Bulletin: Vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2026-8633 and CVE-2026-8620)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about a remote code execution and HTTP request smuggling vulnerability affecting WebSphere Application Server Web Server Plug-ins have been published in a security bulletin...

Security Bulletin: Multiple security vulnerabilities addressed with IBM Business Automation Workflow cumulative fixes May 2026

Summary In addition to updating many operating system level packages, the following security vulnerabilities are addressed with IBM Business Automation Workflow cumulative fixes. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and...

Security Bulletin: IBM Sterling Connect:Direct for Unix is impacted by Improper Input Validation vulnerability due to jetty-http.

Summary jetty-http is used by IBM Sterling Connect:Direct for UNIX in product configuration. IBM Sterling Connect:Direct for UNIX is impacted by Improper Input Validation vulnerability in jetty-http, CVE-2025-11143. IBM Sterling Connect:Direct for UNIX has upgraded jetty-http to address the issue...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-40175)

Summary IBM Security SOAR uses an older version of the Axios component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.10.0 Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios i...

Security Bulletin: Multiple Vulnerabilities in Apache Log4j Core shipped in Tivoli Netcool/OMNIbus

Summary The Netcool/Omnibus 'Administrator GUI' and 'Accelerated Event Notification GUI' desktop components use a version of Apache Log4j that contains known vulnerabilities. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in...

Security Bulletin: IBM Operational Decision Manager for April 2026 - Multiple CVEs addressed

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Operational Decision Manager Vulnerability Details CVEID:CVE-2024-29371 DESCRIPTION: In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS conditio...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for May 2026

Summary Multiple vulnerabilities were addressed in IBM Process Mining 2.1.1 IF002 Vulnerability Details CVEID:CVE-2026-41607 DESCRIPTION: Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which...

Security Bulletin: IBM Edge Data Collector uses uuid-8.3.2.tgz, uuid-9.0.1.tgz which is vulnerable to CVE-2026-41907

Summary IBM Edge Data Collector Component uses uuid-8.3.2.tgz, uuid-9.0.1.tgz which is vulnerable to CVE-2026-41907. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-41907 DESCRIPTION: uuid is for the creation of RFC9562 formerly RFC4122 UUIDs...

Security Bulletin: IBM Edge Data Collector uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42264

Summary IBM Edge Data Collector Component uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42264. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-42264 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. From...

Security Bulletin: IBM Edge Data Collector uses pillow-12.1.1-cp314-cp314-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl which is vulnerable to CVE-2026-40192

Summary IBM Edge Data Collector Component uses pillow-12.1.1-cp314-cp314-manylinux227x8664.manylinux228x8664.whl which is vulnerable to CVE-2026-40192. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-40192 DESCRIPTION: Pillow is a Python imagi...

Security Bulletin: IBM Edge Data Collector uses cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl which is vulnerable to CVE-2026-34073

Summary IBM Edge Data Collector Component uses cryptography-46.0.5-cp311-abi3-manylinux234x8664.whl which is vulnerable to CVE-2026-34073. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-34073 DESCRIPTION: cryptography is a package designed to...

Security Bulletin: IBM Edge Data Collector uses uuid-8.3.2.tgz, uuid-9.0.1.tgz which is vulnerable to CVE-2026-41988

Summary IBM Edge Data Collector Component uses uuid-8.3.2.tgz, uuid-9.0.1.tgz which is vulnerable to CVE-2026-41988. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-41988 DESCRIPTION: uuid before 14.0.0 can make unexpected writes when external...

Security Bulletin: IBM Edge Data Collector uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033, CVE-2026-42034, CVE-2026-42035

Summary IBM Edge Data Collector Component uses uuid-8.3.2.tgz, uuid-9.0.1.tgz which is vulnerable to CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044. This...

Security Bulletin: IBM Edge Data Collector uses follow-redirects-1.15.11.tgz which is vulnerable to CVE-2026-40895

Summary IBM Edge Data Collector Component uses follow-redirects-1.15.11.tgz which is vulnerable to CVE-2026-40895. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement for...

Security Bulletin: IBM Edge Data Collector uses cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl, cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl which is vulnerable to CVE-2026-34073, CVE-2026-39892

Summary IBM Edge Data Collector Component uses cryptography-46.0.5-cp311-abi3-manylinux234x8664.whl, cryptography-46.0.6-cp311-abi3-manylinux234x8664.whl which is vulnerable to CVE-2026-34073, CVE-2026-39892. This bulletin contains information addressing the vulnerability. Vulnerability Details...

Security Bulletin: IBM Edge Data Collector uses openssl-0.10.76.crate which is vulnerable to CVE-2026-41898

Summary IBM Edge Data Collector Component uses openssl-0.10.76.crate which is vulnerable to CVE-2026-41898. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-41898 DESCRIPTION: rust-openssl provides OpenSSL bindings for the Rust programming...

Security Bulletin: There is a vulnerability in brace-expansion-2.0.2.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-33750)

Summary There is a vulnerability in brace-expansion-2.0.2.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-33750 DESCRIPTION: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to...

Security Bulletin: There is a vulnerability in bcprov-jdk18on-1.81.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-0636)

Summary There is a vulnerability in bcprov-jdk18on-1.81.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-0636 DESCRIPTION: Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of t...

Security Bulletin: There is a vulnerability in bcpkix-jdk18on-1.81.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-5588)

Summary There is a vulnerability in bcpkix-jdk18on-1.81.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-5588 DESCRIPTION: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpk...

Security Bulletin: There is a vulnerability in netty-codec-http-4.1.132.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-41417)

Summary There is a vulnerability in netty-codec-http-4.1.132.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-41417 DESCRIPTION: Netty allows request-line validation to be bypassed when a DefaultHttpRequest or...

Security Bulletin: There is a vulnerability in protocol-buffers-schema-3.6.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-5758)

Summary There is a vulnerability in protocol-buffers-schema-3.6.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-5758 DESCRIPTION: JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0,...

Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)

Summary There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-34477 DESCRIPTION: The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed...

Security Bulletin: There is a vulnerability in fast-uri-3.0.1.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-6321)

Summary There is a vulnerability in fast-uri-3.0.1.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-6321 DESCRIPTION: fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normali...

Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)

Summary There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-34477 DESCRIPTION: The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed...

Security Bulletin: IBM Edge Data Collector uses openssl-0.10.76.crate which is vulnerable to CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681

Summary IBM Edge Data Collector Component uses openssl-0.10.76.crate which is vulnerable to CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-41676 DESCRIPTION: rust-openssl provide...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by cross-site scripting (CVE-2025-12635)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by cross-site scripting CVE-2025-12635. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-12635...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by denial of service due to jose4j (CVE-2024-29371)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by denial of service due to jose4j CVE-2024-29371. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by identity spoofing (CVE-2026-3621)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by identity spoofing CVE-2026-3621. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-3621...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by prototype pollution vulnerability due to immutable CVE-2026-29063. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by server-side request forgery (CVE-2026-1561)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by server-side request forgery CVE-2026-1561. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-156...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty, that could provide weaker than expected security ( CVE-2025-14917)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty, that could provide weaker than expected security CVE-2025-14917. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: There is a vulnerability in uuid-9.0.1.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-41907)

Summary There is a vulnerability in uuid-9.0.1.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-41907 DESCRIPTION: uuid is for the creation of RFC9562 formerly RFC4122 UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output...

Security Bulletin: There is a vulnerability in netty-codec-http-4.1.130.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-33870)

Summary There is a vulnerability in netty-codec-http-4.1.130.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-33870 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to...

Security Bulletin: There is a vulnerability in netty-codec-http2-4.1.130.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-33871)

Summary There is a vulnerability in netty-codec-http2-4.1.130.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-33871 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by privilege escalation vulnerability (CVE-2025-14915)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by privilege escalation vulnerability CVE-2025-14915. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty, that could provide weaker than expected security (CVE-2025-14923)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty ,that could provide weaker than expected security CVE-2025-14923. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses jackson-core-2.18.2.jar which is vulnerable to WS-2026-0003

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses jackson-core-2.18.2.jar which is vulnerable to WS-2026-0003. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details ID:WS-2026-0003 DESCRIPTION: The non-blocking async...

Security Bulletin: There is a vulnerability in minimatch-3.0.5.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-27903, CVE-2026-27904)

Summary There is a vulnerability in minimatch-3.0.5.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-27903 DESCRIPTION: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to...

Security Bulletin: There is a vulnerability in kafka-clients-3.9.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-35554)

Summary There is a vulnerability in kafka-clients-3.9.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be...

Security Bulletin: There is a vulnerability in bcprov-jdk18on-1.81.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-14813)

Summary There is a vulnerability in bcprov-jdk18on-1.81.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-14813 DESCRIPTION: : Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA...