Security Bulletin: IBM Maximo Application Suite - Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite - Maximo AI Service uses "torch-2.9.1-cp311-cp311-manylinux228x8664.whl, keras-3.12.0-py3-none-any.whl, hibernate-core-6.6.36.Final.jar" dependencies which are vulnerable to "CVE-2025-2998, CVE-2025-2999, CVE-2025-55552, CVE-2025-63396, CVE-2026-0897,...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to improper name handling in Werkzeug [ CVE-2025-66221]

Summary IBM Watson Speech Services Cartridge is vulnerable to improper name handling in Werkzeug, caused by a reading issue with Werkzeug's safejoin function that allows path segments with special device names to hang indefinately CVE-2025-66221. Werkzeug is used in our service runtimes. This...

Security Bulletin: Vulnerabilities exists in IBM Netezza Performance Server Replication Services

Summary Vulnerabilities exists in IBM Netezza Performance Server Replication Services are addressed in 3.0.5.1 Vulnerability Details CVEID:CVE-2025-23419 DESCRIPTION: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass...

Security Bulletin: IBM Security Verify Directory Web Admin Tool Container affected by WebSphere Application Server Liberty Denial‑of‑Service Vulnerability with HTTP/2

Summary IBM Security Verify Directory Web Admin Container has remediated the WebSphere Liberty vulnerabilities CVE-2025-48976 by incorporating the updated WebSphere Liberty runtime levels that include the necessary fixes. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of...

Security Bulletin: A Security Vulnerability in Java affects IBM Voice Gateway

Summary A Security Vulnerability in Java affects IBM Voice Gateway. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-1188 DESCRIPTION: In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor...

Security Bulletin: Vulnerability assertj-core, spring-security-crypto, werkzeug, urllib, libsodium, jersey-client, log4j, dmidecode-dmidecode, and aide affect IBM Cloud Object Storage Systems (FEB 2026)

Summary Vulnerability with assertj-core-3.27.3 CVE-2026-24400 , spring-security-crypto-6.4.4 CVE-2025-22234 , werkzeug-3.1.3-py3 CVE-2026-21860,CVE-2025-66221 , urllib3-2.5.0-py3CVE-2025-66418,CVE-2025-66471, CVE-2026-21441 , libsodiumCVE-2025-69277 jersey-client-2.25.1CVE-2025-12383 ,...

Security Bulletin: IBM Rational Developer for i is affected by a memory exhaustion loop (CVE-2024-4068)

Summary A package included in the Code Coverage functionality of IBM Rational Developer for i is vulnerable to malicious input causing a crash of the program due to memory exhaustion loop as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2024-4068 DESCRIPTION: The...

Security Bulletin: Multiple vulnerabilities in IBM Rational Developer for i ( CVE-2025-48734, CVE-2025-53057)

Summary IBM Rational Developer for i is affected by an improper access control vulnerability in Apache Commons CVE-2025-48734 and an improper access control vulnerability in Java CVE-2025-53057 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2025-48734...

Security Bulletin: A vulnerability in the body-parser package affects IBM® Db2® Big SQL on IBM Cloud Pak for Data.

Summary A vulnerability in the body-parser 2.2.0 package affects IBM® Db2® Big SQL 8 and earlier on IBM Cloud Pak for Data 5 and earlier. Vulnerability Details CVEID:CVE-2025-13466 DESCRIPTION: body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a URL Redirection to Untrusted Site ('Open Redirect') in urllib3 [CVE-2025-50181, CVE-2025-50182]

Summary IBM Watson Speech Services Cartridge is vulnerable to a URL Redirection to Untrusted Site 'Open Redirect' in urllib3, caused by a condition where it is possible to instantiate a PoolManager and specify retries in a way that disables redirects CVE-2025-50181, CVE-2025-50182. urllib3 is use...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2024-56433...

Security Bulletin: IBM Enterprise Application Service for Java is affected by a remote code execution vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-14914)

Summary IBM Enterprise Application Service for Java is affected by a remote code execution vulnerability in IBM WebSphere Application Server Liberty with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details CVEID:CVE-2025-14914 DESCRIPTION: IBM WebSphere Application...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Redis [CVE-2021-31294]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Redis, caused by an assertion failure in a primary server by sending a non-administrative command specifically, a SET command CVE-2021-31294. Redis is used in our service runtimes. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an XML Injection in fonttools [CVE-2025-66034]

Summary IBM Watson Speech Services Cartridge is vulnerable to an XML Injection in fonttools, an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed CVE-2025-66034. fontTools is used in our service runtimes. This vulnerabilitiy has...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Buffer Overflow in Eclipse [ CVE-2026-1188]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Buffer Overflow in Eclipse, due to an Incorrect Calculation of Buffer Size in the Eclipse OMR port library component CVE-2026-1188. Eclipse is used in our java microservices. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Input Validation in QOS.CH logback-core [CVE-2026-1225]

Summary IBM Watson Speech Services Cartridge is vulnerable to Improper Input Validation in logback-core, caused by an ACE vulnerability in configuration file processing that allows an attacker to instantiate classes already present on the class path by compromising an existing logback configurati...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Werkzeug [CVE-2026-21860]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Werkzeug, due to an Improper Handling of Windows Device Names CVE-2026-21860. Werkzeug is used in our service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Time-of-Check to Time-of-Use in virtualenv [CVE-2026-22702]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Time-of-Check to Time-of-Use in virtualenv, caused by flaws which allow local attackers to perform symlink-based attacks on directory creation operations. CVE-2026-22702. virtualenv is used in our java microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Data Amplification in urllib3 [ CVE-2026-21441]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Data Amplification in urllib3, due to a flaw that library reads the entire response body to drain the connection and decompress the content unnecessarily, rather than decompressing only the necessary bytes as expected CVE-2026-21441...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Open Redirect and Denial of Service in urllib3 [CVE-2025-50181, CVE-2025-66418, CVE-2025-66471]

Summary IBM Watson Speech Services Cartridge is vulnerable to Open Redirect and Denial of Service due to umltiple issues in urllib3 CVE-2025-50181, CVE-2025-66418, CVE-2025-66471. urllib3 is used in our service runtimes. This vulnerabilitiy has been addressed. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a template injection vulnerability in LangChain [CVE-2025-65106]

Summary BM Watson Speech Services Cartridge is vulnerable to a template injection vulnerability in LangChain, due to a defect existing in LangChain's prompt template system that allows attackers to access Python object internals through template syntax CVE-2025-65106. LangChain is used in our...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a directory traversal, security bypass, and D.O.S. in Apache Tomcat (CVE-2025-55752, CVE-2025-55754, CVE-2025-61795)

Summary IBM Watson Speech Services Cartridge is vulnerable to a directory traversal, security bypass, and D.O.S. in Apache Tomcat, due to issues with 'tomcat-embed-core-10.1.44.jar' and 'tomcat-juli-10.1.44.jar'packagesCVE-2025-55752, CVE-2025-55754, CVE-2025-61795. Apache Tomcat is used in our...

Security Bulletin: Multiple Vulnerabilities in IBM Data Product Hub

Summary Multiple vulnerabilities were addressed in IBM Data Product Hub version 5.3.1 Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content...

Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-12635)

Summary A cross-site scripting vulnerability was identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality CVE-2025-12635 Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server...

Security Bulletin: IBM IBM Edge Data Collector uses azure_core-1.14.0-py2.py3-none-any.whl which is vulnerable to CVE-2026-21226.

Summary IBM IBM Edge Data Collector uses azurecore-1.14.0-py2.py3-none-any.whl which is vulnerable to CVE-2026-21226. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-21226 DESCRIPTION: Deserialization of untrusted data in Azure Core shared...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses filelock-3.20.1-py3-none-any.whl, filelock-3.20.2-py3-none-any.whl which is vulnerable to CVE-2026-22701.

Summary IBM Maximo Application Suite - Monitor Component uses filelock-3.20.1-py3-none-any.whl, filelock-3.20.2-py3-none-any.whl which is vulnerable to CVE-2026-22701. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-22701 DESCRIPTION: filelock...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses pyasn1-0.6.1.tar.gz which is vulnerable to CVE-2026-23490.

Summary IBM Maximo Application Suite - Monitor Component uses pyasn1-0.6.1.tar.gz which is vulnerable to CVE-2026-23490. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-23490 DESCRIPTION: pyasn1 is a generic ASN.1 library for Python. Prior to...

Security Bulletin: IBM Edge Data Collector uses pyasn1-0.6.1.tar.gz which is vulnerable to CVE-2026-23490.

Summary IBM Edge Data Collector uses pyasn1-0.6.1.tar.gz which is vulnerable to CVE-2026-23490. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-23490 DESCRIPTION: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Servic...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses netty-codec-http-4.2.5.Final.jar which is vulnerable to CVE-2025-67735.

Summary IBM Maximo Application Suite - Monitor Component uses netty-codec-http-4.2.5.Final.jar which is vulnerable to CVE-2025-67735. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses log4j-core-2.25.1.jar which is vulnerable to CVE-2025-68161.

Summary IBM Maximo Application Suite - Monitor Component uses log4j-core-2.25.1.jar which is vulnerable to CVE-2025-68161. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions...

Security Bulletin: IBM Edge Data Collector uses urllib3-2.6.1-py3-none-any.whl which is vulnerable to CVE-2026-21441.

Summary IBM Edge Data Collector uses urllib3-2.6.1-py3-none-any.whl which is vulnerable to CVE-2026-21441. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP client library for Python. urllib3's streaming API...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses urllib3-2.5.0-py3-none-any.whl, urllib3-2.6.1-py3-none-any.whl, urllib3-2.6.2-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471, CVE-2026-21441.

Summary IBM Maximo Application Suite - Monitor Component uses urllib3-2.5.0-py3-none-any.whl, urllib3-2.6.1-py3-none-any.whl, urllib3-2.6.2-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471, CVE-2026-21441. This bulletin contains information addressing the vulnerability...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses werkzeug-3.1.1-py3-none-any.whl, werkzeug-3.1.3-py3-none-any.whl which is vulnerable to CVE-2025-66221, CVE-2026-21860.

Summary IBM Maximo Application Suite - Monitor Component uses werkzeug-3.1.1-py3-none-any.whl, werkzeug-3.1.3-py3-none-any.whl which is vulnerable to CVE-2025-66221, CVE-2026-21860. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-66221...

Security Bulletin: IBM MQ Appliance is affected by a cross-site scripting vulnerablity (CVE-2025-12635)

Summary IBM MQ Appliance has addressed a cross-site scripting vulnerability. Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improp...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses qs-6.13.0.tgz, qs-6.14.0.tgz which is vulnerable to CVE-2025-15284.

Summary IBM Maximo Application Suite - Monitor Component uses qs-6.13.0.tgz, qs-6.14.0.tgz which is vulnerable to CVE-2025-15284. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses transformers-4.53.0-py3-none-any.whl which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite - Monitor Component uses transformers-4.53.0-py3-none-any.whl which is vulnerable to CVE-2025-14920, CVE-2025-14921, CVE-2025-14926, CVE-2025-14927, CVE-2025-14924, CVE-2025-14928, CVE-2025-14929, CVE-2025-14930. This bulletin contains information addressing t...

Security Bulletin: IBM Edge Data Collector uses tracing-subscriber-0.3.19.crate which is vulnerable to CVE-2025-58160.

Summary IBM Edge Data Collector uses tracing-subscriber-0.3.19.crate which is vulnerable to CVE-2025-58160. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-58160 DESCRIPTION: tracing is a framework for instrumenting Rust programs to collect...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses tornado-6.5-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl which is vulnerable to CVE-2025-67724, CVE-2025-67725, CVE-2025-67726.

Summary IBM Maximo Application Suite - Monitor Component uses tornado-6.5-cp39-abi3-manylinux25x8664.manylinux1x8664.manylinux217x8664.manylinux2014x8664.whl which is vulnerable to CVE-2025-67724, CVE-2025-67725, CVE-2025-67726. This bulletin contains information addressing the vulnerability...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "org.apache.cxfcxf-core 3.6.7, io.nettynetty-codec-http 4.1.124.Final , github.com/golang-jwt/jwt/v4 v4.5.0" which are vulnerable to "CVE-2025-48913, CVE-2025-58056, CVE-2024-51744". This bulletin contains information regarding the vulnerabilities and how...

Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (February 2026)

Summary Multiple vulnerabilities have been addressed in Data Virtualization on IBM Software Hub. Note that Data Virtualization was named Watson Query on IBM Cloud Pak for Data version 4.8. Vulnerability Details CVEID:CVE-2025-69277 DESCRIPTION: libsodium before ad3004e, in atypical use cases...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in commons-text-1.3.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in commons-text-1.3.jar Vulnerability Details CVEID:CVE-2025-46295 DESCRIPTION: Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in urllib3-1.26.20-py2.py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in urllib3-1.26.20-py2.py3-none-any.whl Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in qs-6.13.0.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in qs-6.13.0.tgz Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. SummaryThe arrayLimit option in qs does not enforce...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in js-yaml-4.1.0.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in js-yaml-4.1.0.tgz Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of ...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in werkzeug-3.1.3-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in werkzeug-3.1.3-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-66221 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin function allows path segments with...

Security Bulletin: Multiple vulnerabilities in IBM Cognos Command Center

Summary Multiple vulnerabilities were addressed in IBM Cognos Command Center 10.2.5 FP1 IF3 Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remote attacker to cause a hang or...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in aws-sdk-s3-1.199.0.gem

Summary IBM Watson Discovery Cartridge affected by vulnerability in aws-sdk-s3-1.199.0.gem Vulnerability Details CVEID:CVE-2025-14762 DESCRIPTION: Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts ...

Security Bulletin: IBM MQ Appliance is affected by an authority vulnerability (CVE-2026-1713)

Summary IBM MQ Appliance has addressed an authority vulnerability. Vulnerability Details CVEID:CVE-2026-1713 DESCRIPTION: IBM MQ is affected by an authority vulnerability allowing users access to SYSTEM.AUTH.DATA.QUEUE. CWE:CWE-305: Authentication Bypass by Primary Weakness CVSS Source: IBM CVSS...

Security Bulletin: IBM MQ Appliance is affected by Linux kernel vulnerabilities (CVE-2025-39971 and CVE-2025-39955)

Summary IBM MQ Appliance has addressed multiple Linux kernel vulnerabilities. Vulnerability Details CVEID:CVE-2025-39971 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized...