35596 matches found
Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the Undertow web server
Summary Due to use of the Undertow web server, DevOps Test Performance and Rational Performance Tester contain a potential improper input validation vulnerability. CVE-2024-4027 Vulnerability Details CVEID:CVE-2024-4027 DESCRIPTION: A flaw was found in Undertow. Servlets using a method that calls...
Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the Axios HTTP client library
Summary Due to use of the Axios HTTP client library, DevOps Test Performance and Rational Performance Tester contain a potentil denial of service DoS vulnerability. CVE-2026-25639 Vulnerability Details CVEID:CVE-2026-25639 DESCRIPTION: Axios is a promise based HTTP client for the browser and...
Security Bulletin: DevOps Test Performance and Rational Performance Tester contains a vulnerabilty related to use of the qs library
Summary Due to use of the qs library, DevOps Test Performance and Rational Performance Tester contain a potential improper input validation vulnerabiity. CVE-2025-15284 Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP...
Security Bulletin: DevOps Test Performance contains a potential denial of service (DoS) vulnerability
Summary Due to the use of the minimatch library, DevOps Test Performance and Rational Performance Tester contain a potential denial of Service vulnerability. Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a minimal matching utility for converting glob expressions into...
Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the minimatch library
Summary Due to the use of the minimatch library, DevOps Test Performance and Rational Performance Tester contain potential denial of service DoS vulnerabilities. CVE-2026-26996 Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a minimal matching utility for converting glob...
Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the logback-core library
Summary Due to use of the logback-core library, DevOps Test Performance and Rational Performance Tester contain a potential Arbitrary Code Execution ACE vulnerability. Vulnerability Details CVEID:CVE-2026-1225 DESCRIPTION: ACE vulnerability in configuration file processing by QOS.CH logback-core ...
Security Bulletin: Multiple vulnerabilities in IBM SDK, Java technology affect IBM Tivoli Composite Application Manager for Transactions (Response Time)
Summary IBM SDK, Java Technology Edition is used by IBM Tivoli Composite Application Manager for Transactions Response Time Vulnerability Details CVEID:CVE-2026-1188 DESCRIPTION: In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all...
Security Bulletin: Platform Navigator in IBM Cloud Pak for Integration is vulnerable to vulnerability in python_multipart
Summary Platform Navigator in IBM Cloud Pak for Integration is vulnerable to vulnerability in pythonmultipart. CVE-2026-24486 vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-24486 DESCRIPTION: Python-Multipart is a streaming multipart parser for Python. Prior to version...
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2025-13333)
Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...
Security Bulletin: Segmentation Fault Vulnerability in Rust time crate on Unix Systems (v0.2.7–v0.2.22) affects watsonx.data
Summary A vulnerability in the Rust time crate v0.2.7–v0.2.22 can cause segmentation faults on Unix-like systems when environment variables are set from a different thread. Windows and WebAssembly targets are unaffected. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2020-26235...
Security Bulletin: Use-After-Free Vulnerability in c-ares read_answers() Function (v1.32.3–v1.34.4) affects watsonx.data
Summary CVE-2025-31498 - A use-after-free vulnerability exists in c-ares v1.32.3–v1.34.4 within the readanswers function. It can occur when processanswer re-enqueues queries under certain DNS conditions, potentially leading to crashes or unexpected behavior. This can affect watsonx.data...
Security Bulletin: runc File Descriptor Leak Leads to Container Escape Vulnerability (Fixed in 1.1.12), affects watsonx.data
Summary runc ≤ 1.1.11 contains a file descriptor leak vulnerability that can allow container processes to access the host filesystem, leading to potential container escape and host compromise. Fixed in version 1.1.12. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-21626...
Security Bulletin: tough-cookie Prototype Pollution Vulnerability in CookieJar, affects watsonx.data
Summary ough-cookie versions prior to 4.1.3 are vulnerable to prototype pollution when using CookieJar with rejectPublicSuffixes=false due to improper object initialization. Fixed in version 4.1.3. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2023-26136 DESCRIPTION: Versions of t...
Security Bulletin: XSS Vulnerability in React Router meta()/Meta APIs During SSR, affects watsonx.data
Summary React Router @remix-run/react 1.15.0–2.17.0, react-router 7.0.0–7.8.2 is vulnerable to XSS in meta/Meta APIs when generating script:ld+json tags in Framework Mode. Arbitrary JavaScript could execute during SSR if untrusted content is used. No impact occurs in Declarative Mode BrowserRoute...
Security Bulletin: Decompression Bomb Vulnerability in urllib3 affects watsonx.data
Summary urllib3 versions ≥1.24 and 2.6.0 are vulnerable to unbounded decompression chains. A malicious server can trigger excessive CPU and memory usage by sending many nested compression steps. The issue is fixed in version 2.6.0. This can affect watsonx.data. Vulnerability Details...
Security Bulletin: Decompression Bomb Vulnerability in Undic, affects watsonx.data
Summary Undici versions prior to 7.18.0 and 6.23.0 are vulnerable to unbounded decompression chains. Malicious servers can exploit this to trigger high CPU usage and excessive memory allocation due to thousands of compression steps. This can affect watsonx.data. Vulnerability Details...
Security Bulletin: Eclipse Jetty HTTP/2 DoS Vulnerability affects watsonx.data
Summary A flaw in the Eclipse Jetty HTTP/2 server implementation causes improper cleanup of connections when handling invalid HTTP/2 requests. When malformed or invalid requests are received, the server fails to correctly release active connections and associated resources. This can affect...
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities due to lz4 and Apache Log4j (CVE-2025-12183, CVE-2025-66566 & CVE-2025-68161 )
Summary Users of Kafka features in IBM App Connect Enterprise and IBM Integration Bus for z/OS and the jdbcConnector in IBM App Connect Enterprise are vulnerable to multiple vulnerabilities due to lz4 and Apache Log4j. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory...
Security Bulletin: Improper Host Header Validation in Undertow HTTP Server Enables Cache Poisoning and Session Hijacking affects watsonx.data
Summary A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed...
Security Bulletin: IBM Operations Analytics – Log Analysis is affected by a security feature bypass due to Azure SDK for Java
Summary Azure SDK for Java is used by IBM Operations Analytics – Log Analysis as part of secure, asynchronous messaging and event streaming over AMQP Advanced Message Queuing Protocol. CVE‑2020‑16971. Vulnerability Details CVEID:CVE-2020-16971 DESCRIPTION: Azure SDK for Java Security Feature Bypa...
Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem
Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant On Prem V5.3.1 Patch 1 Vulnerability Details CVEID:CVE-2024-58340 DESCRIPTION: LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.pars...
Security Bulletin: Vulnerabilities Addressed in IBM Tivoli Network Manager IP Edition (ITNM) version 4.2 Fix Pack 24 (4.2.0.24)
Summary Multiple vulnerabilities were addressed in ITNM version 4.2 Fix Pack 24 4.2.0.24 Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSO...
Security Bulletin: Vulnerability in Netty affects IBM Netezza Appliance
Summary The Netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-25193 Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and...
Security Bulletin: Due to the use of IBM WebSphere Application Server Liberty, CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms are vulnerable to two security vulnerabilities.
Summary Due to the use of IBM WebSphere Application Server Liberty, CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms are vulnerable to a Use of Hard-coded Cryptographic Key vulnerability CVE-2025-12635 and an Improper Neutralization of Input During Web Page...
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2026-32776, CVE-2026-32777, CVE-2026-32778)
Summary WebSphere Application Server Traditional is shipped as a component of IBM Business Automation Workflow. Information about security vulnerabilities in IBM HTTP Server affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published...
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service due to use of Bytes (CVE-2026-25541)
Summary IBM DataPower Gateway uses Bytes in the 'Gateway Peering' feature, and in 10.6.0 and 10.6CD only the 'GitOps' feature. Vulnerability Details CVEID:CVE-2026-25541 DESCRIPTION: Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to...
Security Bulletin: EDB PGAI Databases is affected by Multiple Vulnerabilities.
Summary Multiple Vulnerabilities found in EDB PGAI Databases 18.0. It has been addressed in 18.2. Hence, IBM strongly recommends upgrading to 18.2. Vulnerability Details CVEID:CVE-2024-25260 DESCRIPTION: elfutils v0.189 was discovered to contain a NULL pointer dereference via the handleverdef...
Security Bulletin: Security vulnerability has been detected in IBM Security Verify Directory (Container) (CVE-2025-36074)
Summary Security vulnerability has been addressed in IBM Security Verify Directory Container Vulnerability Details CVEID:CVE-2025-36074 DESCRIPTION: IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious fil...
Security Bulletin: Vulnerability in form-data might affect IBM Storage Defender Sentinel Anomaly Scan Engine.
Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by a vulnerability in form-data. Vulnerabilities include the use of insufficiently random values allowing HTTP Parameter Pollution HPP. More details are described by the CVEs in the "Vulnerability Details" section...
Security Bulletin: Security vulnerability was found in IBM WebSphere Application Server provided with IBM Security Verify Directory (CVE-2025-7962)
Summary Security vulnerability was addressed in WebSphere Application Server provided with IBM Security Verify Directory Vulnerability Details CVEID:CVE-2025-7962 DESCRIPTION: In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate...
Security Bulletin: Security vulnerability was found in IBM Security Directory Integrator (CVE-2024-28765)
Summary Security vulnerability has been addressed in the IBM Security Directory Integrator Vulnerability Details CVEID:CVE-2024-28765 DESCRIPTION: IBM Security Directory Integrator could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in...
Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the jsdiff JavaScript library
Summary Due to use of the jsdiff JavaScript library, DevOps Test Performance and Rational Performance Tester contain a potential denial of service DoS vulnerability. Vulnerability Details CVEID:CVE-2026-24001 DESCRIPTION: jsdiff is a JavaScript text differencing implementation. Prior to versions...
Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the lodash JavaScript library
Summary Due to use of the lodash JavaScript library, DevOps Test Performance and Rational Performance Tester contain a potential denial of service DoS vulnerability. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution...
Security Bulletin: Due to the use of WebSphere Application Server Liberty, IBM Tivoli Application Dependency Discovery Manager is vulnerable to cross-site scripting and arbitrary code execution
Summary IBM Tivoli Application Dependency Discovery Manager bundles WebSphere Application Server Liberty, vulnerabilities have been remediated in an efix Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty...
Security Bulletin: Certificate Name Constraints Bypass via Wildcard SANs affects watsonx.data
Summary Improper enforcement of certificate name constraints allows wildcard SANs e.g., .example.com to bypass excluded subdomain restrictions e.g., test.example.com, potentially enabling unauthorized certificate usage.This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-61727...
Security Bulletin: Expr Built-in Functions Recursion DoS Vulnerability (Fixed in v1.17.7) affects watsonx.data
Summary Expr prior to v1.17.7 is vulnerable to a Denial-of-Service DoS due to unbounded recursion in certain built-in functions, which can cause stack overflow and application crashes when processing deeply nested or cyclic data. Fixed in v1.17.7. This can affect watsonx.data. Vulnerability Detai...
Security Bulletin: Fulcio OIDC Token Parsing DoS Vulnerability in extractIssuerURL affects watsonx.data
Summary ulcio prior to 1.8.3 is vulnerable to a Denial-of-Service DoS issue where malicious OIDC tokens containing excessive period characters can trigger high memory allocation during parsing. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-66506 DESCRIPTION: Fulcio is a...
Security Bulletin: jose4j JWE Decompression DoS Vulnerability (Fixed in 0.9.6), affects watsonx.data
Summary n jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time...
Security Bulletin: MCP Python SDK DNS Rebinding Vulnerability in HTTP Servers (Fixed in 1.23.0) affects watsonx.data
Summary The MCP Python SDK mcp prior to 1.23.0 did not enable DNS rebinding protection by default for HTTP-based servers. This could allow a malicious website to bypass same-origin policies and send requests to a local MCP server running without authentication. This can affect watsonx.data...
Security Bulletin: LangChain Serialization Injection Vulnerability in dumps()/dumpd() (Fixed in 0.3.81 / 1.2.5) affects watsonx.data
Summary A serialization injection vulnerability in LangChain's dumps and dumpd functions pre-0.3.81 / 1.2.5 allows user-controlled data with 'lc' keys to be deserialized as objects. This issue is fixed in versions 0.3.81 and 1.2.5. This can affect watsonx.data. Vulnerability Details...
Security Bulletin: Cross-Site Scripting (XSS) Vulnerability in OWASP Java HTML Sanitizer via HtmlPolicyBuilder noscript/style Tags (v20240325.1), affects watsonx.data
Summary A vulnerability in OWASP Java HTML Sanitizer v20240325.1 allows Cross-Site Scripting XSS when HtmlPolicyBuilder permits noscript or style tags with allowTextIn. Unsanitized CSS or unexpected tags can be exploited by attackers. No patch is available at the time of this publication. This ca...
Security Bulletin: Session Cookie Exposure via Improper Cache Handling in Flask (≤ v2.3.1, ≤ v2.2.4), affects watsonx.data
Summary A vulnerability in Flask ≤ v2.3.1, ≤ v2.2.4 can cause session cookies to be exposed when responses are cached by a proxy. This occurs if sessions are permanent but not accessed during a request, combined with default cache settings. The issue is fixed in versions 2.3.2 and 2.2.5. This can...
Security Bulletin: Due to the use of Apache Tomcat and mchange-commons-java, IBM ApplinX is vulnerable to Improper Input Validation vulnerablities (CVE-2025-66614, CVE-2026-24733, CVE-2026-24734) and an 'Injection' vulnerability (CVE-2026-27727).
Summary Due to the use of Apache Tomcat and mchange-commons-java, IBM ApplinX is vulnerable to Improper Input Validation vulnerablities CVE-2025-66614, CVE-2026-24733, CVE-2026-24734 and an Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection'...
Security Bulletin: Log Injection Vulnerability in orydolphin/flask-cors (Debug Logging) affects watsonx.data
Summary A vulnerability in orydolphin/flask-cors allows attackers to inject malicious log entries when debug logging is enabled. By sending specially crafted requests containing CRLF sequences, an attacker can corrupt or forge log entries, potentially obscuring other attacks or disrupting log...
Security Bulletin: Improper Unicode Handling in validator isLength() Leads to Input Length Bypass (Pre-13.15.22) affects watsonx.data
Summary Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string...
Security Bulletin: Dynamic XSS Vulnerability in GraphiQL via Malicious Schema Introspection Responses (Pre-v1.4.7) watsonx.data
Summary All versions of GraphiQL before 1.4.7 are vulnerable to a dynamic XSS flaw triggered by malicious schema introspection responses or crafted type names, potentially allowing code injection during autocomplete—especially in custom setups where the schema endpoint can be user-controlled. Thi...
Security Bulletin: High Resource Consumption Vulnerability in urllib3 Streaming API Due to Improper Handling of Highly Compressed Data (≤ v2.6.0) affects watsonx.data
Summary A vulnerability in the urllib3 Streaming API versions 1.0 through 2.6.0 allows highly compressed HTTP responses to be decompressed in a way that can consume excessive system resources. When processing compressed data e.g., gzip or brotli, the library may fully decompress a small input int...
Security Bulletin: Signature Verification Bypass Vulnerability in auth0/node-jws (HS256, ≤ v3.2.2 & v4.0.0) affects watsonx.data
Summary A vulnerability in auth0/node-jws allows attackers to bypass signature verification when using the HS256 algorithm under certain conditions. The issue occurs when applications rely on user-controlled data for HMAC secret lookup during verification. This can affect watsonx.data...
Security Bulletin: Cookie Parsing Vulnerability in Werkzeug Allows Subdomain Cookie Injection (≤ v2.2.2), affects watsonx.data
Summary A vulnerability in Werkzeug prior to v2.2.3 allows malicious subdomains to inject crafted "nameless" cookies that are incorrectly parsed as valid cookies. This can cause applications to accept attacker-controlled values, potentially leading to security issues. This can affect watsonx.data...
Security Bulletin: Arbitrary File Read, SSRF, and Code Execution Vulnerabilities in TensorFlow Keras Model Loading (v2.13) affects watsonx.data
Summary A vulnerability in TensorFlow Keras v2.13 allows malicious .keras model files to trigger arbitrary local file reads, Server-Side Request Forgery SSRF, and potential code execution during model loading—even when safemode=True is enabled. The issue arises from improper handling of external...