Security Bulletin: Multiple vulnerabilities affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.

Summary Due to the use of IBM® Runtime Environment Java™, CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms are vulnerable to multiple vulnerabilities. CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition have updated the...

Security Bulletin: ELM on Hybrid Cloud vulnerabilities addressed in 1.3.0

Summary This release addresses security vulnerabilities in application and operator images of ELM on Hybrid cloud offering. Identified vulnerabilities identified below relate to the underlying OS packages and language dependencies which impacts the product within the deployed environment. One of...

Security Bulletin: Remediation of Multiple Apache Struts Vulnerabilities in IBM Library Support for Struts

Summary Multiple Apache Struts vulnerabilities have been addressed in IBM Library Support for Struts Vulnerability Details CVEID:CVE-2025-68493 DESCRIPTION: Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to bypass of Trust Restrictions due to Eclipse Jersey

Summary A race condition in Eclipse Jersey can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. IBM Sterling Secure Proxy has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-12383 DESCRIPTION: I...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

Summary Multiple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and fixpack Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to issues in IBM Semeru Runtime version 17

Summary There are vulnerabilities in IBM Semeru Runtime version 17 used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925, CVE-2026-1188...

Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to multiple issues due to IBM Semeru Runtime 17

Summary There are vulnerabilities in IBM Semeru Runtime version 17 used by IBM Sterling Connect:Direct File Agent. IBM Sterling Connect:Direct File Agent has addressed the applicable CVEs CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925, CVE-2026-1188. Vulnerability Details...

Security Bulletin: IBM Maximo Application suite Visual Inspection Component back ported version 8.9.x uses components that are vulnerable to CVE-2021-31684, CVE-2023-1370, CVEID: CVE-2023-52428, CVE-2024-7254,CVE-2024-27268.

Summary IBM Maximo Application suite Visual Inspection Component back ported version 8.9.x uses components that are vulnerable to CVE-2021-31684, CVE-2023-1370, CVEID: CVE-2023-52428, CVE-2024-7254,CVE-2024-27268. This Bulletine contains information of the vulerable product version and it's...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Handling of Length Parameter Inconsistency (CVE-2025-14847)

Summary There is a vulnerability in MongoDB Server used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-14847. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-14847 DESCRIPTION: Mismatched length fields in Zlib compressed protocol headers may allow a read of...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Faspex

Summary Multiple vulnerabilities were addressed in IBM Aspera Faspex version 5.0.15 Vulnerability Details CVEID:CVE-2026-22860 DESCRIPTION: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the...

Security Bulletin: IBM Planning Analytics Advanced Certified Containers is vulnerable to a sensitive information disclosure vulnerability

Summary A vulnerability was addressed in IBM Planning Analytics Advanced Certified Containers. Vulnerability Details CVEID:CVE-2025-36105 DESCRIPTION: IBM Planning Analytics Advanced Certified Containers could allow a local privileged user to obtain sensitive information from environment variable...

Security Bulletin: IBM Terracotta is affected by an Apache Avro vulnerability that could allow code injection leading to access to unauthorized resources

Summary IBM Terracotta uses Apache Avro as part of Apache Parquet used within the IBM Terracotta implementation for data export and import. Vulnerability Details CVEID:CVE-2025-33042 DESCRIPTION: Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Avro Java SDK when...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2026) affect IBM InfoSphere Information Server

Summary There are multiple vulnerabilities in the IBM® SDK Java™ Technology Edition, Version 8 that is used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in January 2026. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is...

Security Bulletin: IBM Engineering Requirements Management DOORS and DOORS Web Access is affected by multiple vulnerabilities

Summary This release addresses multiple security vulnerabilities across various components of IBM Engineering Requirements Management DOORS and DOORS Web Access product. Many vulnerabilities are rated Critical CVSS ≥ 9.0, including a Tomcat rewrite rule bypass CVE-2025-31651, Tomcat Improper...

Security Bulletin: IBM WebSphere Application Server is affected by a denial of service by IBM Master Data Management (CVE-2025-36097)

Summary IBM Master Data Management version 11.6, 12.0 and 14.0 are impacted by vulnerability in WebSphere Application Server which could create a denial of service caused by a stack-based overflow. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere Application Server 9.0 and...

Security Bulletin: IBM WebSphere Application Server is affected by a denial of service due to Apache Commons FileUpload used by IBM Master Data Management (CVE-2025-48976)

Summary IBM Master Data Management version 11.6, 12.0 and 14.0 are impacted by vulnerability in WebSphere Application Server which may allocate resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. Vulnerability Details...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Guardium Key Lifecycle Manager (SKLM/GKLM)

Summary WebSphere Application Server is shipped as a component of IBM Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed...

Security Bulletin: Multiple vulnerabilties affects IBM DB2 Data Management Console

Summary traverse-7.17.3.tgz , sshd-core-1.7.0.jar dependency packages are being used by IBM Db2 Data Management Console. This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2022-45047 DESCRIPTION: Class...

Security Bulletin: Multiple vulnerabilties affects IBM DB2 Data Management Console

Summary sshd-common-2.10.0.jar, dompurify-2.2.7.tgz, derby-10.16.1.1.jar, ion-java-1.2.0.jar dependency packages are being used by IBM Db2 Data Management Console. This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2024-41909 DESCRIPTION:...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Guardium Key Lifecycle Manager (SKLM/GKLM)

Summary IBM Db2 is shipped as a component of IBM Guardium Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM Db2 has been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Location Service for ESRI Component uses werkzeug-3.1.4 and urllib3-2.6.2 library which were vulnerable to CVE-2026-21860 and CVE-2026-21441 respectively

Summary Location Service for ESRI Component uses werkzeug-3.1.4 and urllib3-2.6.2 library which were vulnerable to CVE-2026-21860 and CVE-2026-21441 respectively. Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP client library for Python. urllib3's streaming API is...

Security Bulletin: Due to the use of IBM WebSphere Application Server, IBM Tivoli Network Manager (ITNM) IP Edition is affected by affected by cross-site scripting (CVE-2025-12635).

Summary WebSphere Application Server, used by IBM Tivoli Network Manager ITNM IP Edition, is affected by cross-site scripting. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- IBM Tivol...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses eslint-9.17.0 in map-application which is vulnerable to CVE-2025-50537

Summary IBM Maximo Application Suite - Manage Component uses eslint-9.17.0 in map-application which is vulnerable to CVE-2025-50537. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-50537 DESCRIPTION: Stack overflow vulnerability...

Security Bulletin: InfoSphere Data Architect 9.2.1

Summary Multiple Vulnerabilites has been fixed. IBM strongly recommends addressing the vulnerability now by upgrading to release 9.2.1 Vulnerability Details CVEID:CVE-2022-46363 DESCRIPTION: A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote...

Security Bulletin: InfoSphere Data Architect 9.2.1

Summary Multiple Vulnerabilites has been fixed. IBM strongly recommends addressing the vulnerability now by upgrading to release 9.2.1 Vulnerability Details CVEID:CVE-2022-40609 DESCRIPTION: IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary...

Security Bulletin: IBM Data Studio client - CVE-2023-30441

Summary IBM Java versions 8.0.7.0 - 8.0.7.11 are vulnerable to crypto attacks - Has been fixed in IBM Data Studio client 4.2.0. IBM strongly recommends addressing the vulnerability now by upgrading to release 4.2.0 Vulnerability Details CVEID:CVE-2023-30441 DESCRIPTION: IBM Runtime Environment,...

Security Bulletin: Vulnerability in openssl and openssl-libs affects IBM Db2 Data Management Console .

Summary openssl and openssl-libs open source library is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2023-0286 DESCRIPTION: There is a type confusion vulnerability relating to X.400 address...

Security Bulletin: Due to use of apache.felix.webconsole, IBM webMethods BPM is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

Summary IBM webMethods BPM is using apache.felix.webconsole. Vulnerability Details CVEID:CVE-2025-25247 DESCRIPTION: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to...

Security Bulletin: Security vulnerabilities found in the Red Hat Universal Minimal Base Image shipped with CICS Transaction Gateway for Multiplatforms

Summary Security vulnerabilities found in the Red Hat Universal Base Image Minimal shipped with CICS Transaction Gateway for Multiplatforms. This fix resolves these vulnerability CVE-2025-9230, CVE-2025-9086, CVE-2025-9230. Vulnerability Details CVEID:CVE-2025-11083 DESCRIPTION: A vulnerability h...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to ant

Summary Ant is used by IBM webMethods BPM for internal build and deployment operations. Vulnerability Details CVEID:CVE-2012-2098 DESCRIPTION: Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream BZip2CompressorOutputStream in Apache Commons Compress before...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to jetty-server

Summary IBM webMethods BPM uses jetty-server as a transitive dependency brought in by the WebMethods Integration Server is-server dependency. The Integration Server runtime uses Jetty internally for its web server infrastructure. Vulnerability Details CVEID:CVE-2024-8184 DESCRIPTION: There exists...

Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in log4j-core (CVE-2025-68161)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2025-68161 of log4j-core-2.17.1.jar. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Eclipse Jersey Race Condition (CVE-2025-12383)

Summary IBM OpenPages for Cloud Pak for Data is Vulnerable to jersey-client-3.1.9.jar. Race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings Vulnerability Details CVEID:CVE-2025-12383 DESCRIPTION: In...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite - IoT Component uses "lz4-java-1.8.0.jar, werkzeug-3.1.3-py3-none-any.whl, urllib3-2.3.0-py3-none-any.whl, urllib3-2.6.0-py3-none-any.whl, urllib3-2.6.2-py3-none-any.whl, pyasn1-0.6.1.tar.gz, github.com/opencontainers/runc v1.1.13,...

Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to a partial denial of service and a JNI function returning incorrect value length due to multiple vulnerabilities.

Summary IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ used by IBM i are vulnerable to an unauthenticated attacker performing a partial denial of service partial DOS CVE-2024-21208, CVE-2024-21217 and JNI function GetStringUTFLength returning incorrect value length when...

Security Bulletin: IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting (XSS) (CVE-2025-11965, CVE-2025-11966)

Summary IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting XSS when using Eclipse Vert.x. Vulnerability Details CVEID:CVE-2025-11965 DESCRIPTION: In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for...

Security Bulletin: Cross-Site Scripting (XSS) Vulnerability in serialize-javascript Due to Improper Input Sanitization affects watsonx.data

Summary A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when...

Security Bulletin: Source Code Exposure Vulnerability in webpack-dev-server (Fixed in Version 5.2.1) affects watsonx.data

Summary webpack-dev-server versions prior to 5.2.1 are vulnerable to source code exposure when users visit a malicious website. Due to classic script requests not being restricted by the same-origin policy, an attacker who knows the dev server port and entry script path can inject a script, acces...

Security Bulletin: SMTP Command Injection Vulnerability in Netty SMTP Codec (Fixed in 4.1.129.Final and 4.2.8.Final) affect IBM watsonx.data

Summary Netty versions prior to 4.1.129.Final and 4.2.8.Final contains an SMTP command injection vulnerability in its SMTP codec due to improper CRLF validation. Attackers who control SMTP parameters can inject arbitrary commands, potentially forging emails that pass SPF and DKIM checks. Upgradin...

Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data

Summary IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty

Summary SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty CVE-2025-12635, CVE-2025-14914. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere...

Security Bulletin: Multiple Vulnerabilities in Lenovo XCC affect IBM Cloud Pak System

Summary Multiple Vulnerabilities in Lenovo XCC affect IBM Cloud Pak System. Vulnerabilities were addressed in IBM Cloud Pak System v2.3.6.1. Vulnerability Details CVEID:CVE-2023-20599 DESCRIPTION: Improper register access control in ASP may allow a privileged attacker to perform unauthorized acce...

Security Bulletin: IBM Event Streams is vulnerable to proxy bypass

Summary IBM Event Streams is vulnerable to proxy bypass due to improper handling of IPv6 zoneID CVE-2025-22870 Vulnerability Details CVEID:CVE-2025-22870 DESCRIPTION: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPRO...

Security Bulletin: IBM Event Streams is vulnerable to improper access control

Summary IBM Event Streams is vulnerable to improper access control leading to potential classloader access in Apache Commons BeanUtils CVE-2025-48734 Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class w...

Security Bulletin: IBM Transformation Extender Advanced is affected by a IBM WebSphere Application Server Liberty vulnerability

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is vulnerable to IBM WebSphere Application Server Liberty's remote code execution vulnerability CVE-2025-14914 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: InfoSphere Data Architect (IDA) 9.2.1 Vulnerability Fixes.

Summary This is the Summary of the Vulnerabilities reported in - InfoSphere Data Architect IDA 9.2.1 Vulnerability Details CVEID:CVE-2022-38398 DESCRIPTION: Server-Side Request Forgery SSRF vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This...

Security Bulletin: Vulnerabilities in MongoDB Server might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Zlib which use by MongoDB server. Vulnerability include mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client as described by t...

Security Bulletin: IBM Event Endpoint Management is vulnerable to unauthorized access

Summary IBM Event Endpoint Management is vulnerable to unauthorized access due to improper restriction of hidden directories CVE-2025-11965 Vulnerability Details CVEID:CVE-2025-11965 DESCRIPTION: In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service

Summary IBM Event Streams is vulnerable to a denial of service due to inefficient handling of slow SSH key exchanges CVE-2025-22869 Vulnerability Details CVEID:CVE-2025-22869 DESCRIPTION: SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients...

Security Bulletin: IBM Event Streams is vulnerable to unintended response header modification

Summary IBM Event Streams is vulnerable to unintended response header modification due to a flaw in the on-headers module CVE-2025-7339 Vulnerability Details CVEID:CVE-2025-7339 DESCRIPTION: on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers...