35596 matches found
Security Bulletin: Vulnerabilities in Linux Kernel, MongoDB and Tomcat affect IBM Spectrum Protect Plus
Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in MongoDB, Tomcat and Linux. Vulnerabilities include obtaining sensitive information, causing a denial of service condition, the elevation of privileges, remote execution of arbitrary code and bypassing security restrictions, a...
Security Bulletin: IBM Financial Transaction Manager is impacted by multiple vulnerabilities in RedHat Proxy for Kubernetes RBAC authorization
Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerabilities. Vulnerability Details CVEID:CVE-2025-47907 DESCRIPTION: Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper handling of Windows device names due to Werkzeug
Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. CVE-2025-66221 affects Werkzeug's handling of Windows device names, which could lead to improper resource handling and potential availability impact on Windows systems. This vulnerability relates to t...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to urllib3
Summary The urllib3 library is used by IBM Cloud Pak for Data System 1.0 to provide HTTP client functionality for Python applications. Multiple vulnerabilities affect urllib3. CVE-2025-66418 involves allocation of resources without limits or throttling, which could lead to resource exhaustion...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper handling of Windows device names due to Werkzeug
Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. CVE-2026-21860 affects Werkzeug's handling of Windows device names, which could lead to improper resource handling and potential availability impact on Windows systems. This vulnerability relates to t...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to urllib3
Summary The urllib3 library is used by IBM Cloud Pak for Data System 1.0 to provide HTTP client functionality for Python applications. Multiple vulnerabilities affect urllib3. CVE-2025-66418 involves allocation of resources without limits or throttling. CVE-2025-66471 and CVE-2026-21441 both rela...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to Werkzeug
Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. Multiple vulnerabilities affect Werkzeug. CVE-2024-49767 involves a resource exhaustion vulnerability in the multipart/form-data parser where a specifically crafted form submission can cause the parse...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by arbitrary code execution due to Jinja2
Summary Jinja2 is used by IBM Cloud Pak for Data System 1.0 as a template engine for generating dynamic content. CVE-2025-27516 affects Jinja2's sandboxed environment where an oversight in how the |attr filter interacts with the sandbox allows an attacker who controls template content to execute...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by open redirect vulnerabilities due to urllib3
Summary The urllib3 library is used by IBM Cloud Pak for Data System 1.0 to provide HTTP client functionality for Python applications. Multiple open redirect vulnerabilities affect urllib3. CVE-2025-50182 relates to urllib3 not controlling redirects when used in Pyodide runtime with JavaScript...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by credential disclosure due to Python Requests library
Summary The Python Requests library is used by IBM Cloud Pak for Data System 1.0 to handle HTTP communications. CVE-2024-47081 affects Requests due to a URL parsing issue that may leak .netrc credentials to third parties when processing maliciously-crafted URLs. This vulnerability could result in...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to Flask-Cors
Summary Flask-Cors is used by IBM Cloud Pak for Data System to handle Cross-Origin Resource Sharing CORS for web applications. Multiple vulnerabilities affect Flask-Cors path matching functionality. CVE-2024-6866 involves case-insensitive path matching that can allow unauthorized origins to acces...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by denial of service due to Python cryptography package
Summary The Python cryptography package is used by IBM Cloud Pak for Data System to provide cryptographic functionality. CVE-2024-0727 affects the underlying OpenSSL library used by the cryptography package. Processing a maliciously formatted PKCS12 file may cause a NULL pointer dereference in...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper validation due to Eclipse Jetty.
Summary Eclipse Jetty is used by IBM Cloud Pak for Data System CPDS as part of its web server infrastructure. CVE-2024-6763 affects Eclipse Jetty's HttpURI class, which performs insufficient validation on the authority segment of a URI. This could potentially lead to open redirect attacks or...
Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs.
Summary IBM Maximo Application Suite - IoT Component uses assertj-core-3.27.6.jar, minimatch-3.1.2.tgz, flask-3.1.2-py3-none-any.whl and werkzeug-3.1.5-py3-none-any.whl third party dependencies which is vulnerable to CVE-2026-24400, CVE-2026-26996, CVE-2026-27205 and CVE-2026-27199. This bulletin...
Security Bulletin: IBM Content Navigator uses Apache Commons Collections resulting in multiple CVEs
Summary IBM Content Navigator is affected by CVE-2015-4852, a Deserialization of Untrusted Data vulnerability CWE-502 in Apache Commons Collections, originally identified in Oracle WebLogic Server. A remote attacker could exploit this vulnerability by sending a crafted serialized Java object over...
Security Bulletin: Multiple Vulnerabilities for EDB Cloudpack for Data CP4D 5.3.1
Summary Security Bulletin of Multiple Vulnerabilities from EDB Cloudpack for Data.CP4D 5.3.1. IBM strongly recommends addressing the vulnerability now by upgrading.to 5.3.1 Vulnerability Details CVEID:CVE-2025-58189 DESCRIPTION: When Conn.Handshake fails during ALPN negotiation the error contains...
Security Bulletin: Multiple Vulnerabilities affect IBM Tivoli Netcool Impact
Summary Multiple vulnerabilities were addressed in IBM Tivoli Netcool Impact version 7.1.0.38 Vulnerability Details CVEID:CVE-2026-29063 DESCRIPTION: Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in...
Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring
Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22731 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...
Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring
Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22733 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...
Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring
Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22733 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...
Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
Summary Multiple components with known vulnerabilities were addressed in IBM QRadar SIEM in UP15 IF01 Vulnerability Details CVEID:CVE-2025-38129 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: pagepool: Fix use-after-free in pagepoolrecycleinring syzbot reported a...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.1.1
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.1.1 Vulnerability Details CVEID:CVE-2026-22732 DESCRIPTION: When applications specify HTTP response headers for servlet applications using Spring...
Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway
Summary Security Vulnerabilities affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-33750 DESCRIPTION: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and...
Security Bulletin: Vulnerabilities in IBM Semeru SDK (CVE-2026-21945, CVE-2026-21933, CVE-2026-21925, CVE-2026-1188) affect Power HMC.
Summary The IBM Semeru SDK is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remote...
Security Bulletin: Vulnerabilities in httpd library (CVE-2025-58098, CVE-2025-65082, CVE-2025-66200) affect Power HMC.
Summary The httpd library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-58098 DESCRIPTION: Apache HTTP Server 2.4.65 and earlier with Server Side Includes SSI enabled and modcgid but not modcgi passes the shell-escape...
Security Bulletin: Vulnerability in openssl library (CVE-2025-9230) affects Power HMC.
Summary The openssl library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-9230 DESCRIPTION: Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an...
Security Bulletin: Vulnerability in net-snmp library (CVE-2025-68615) affects Power HMC.
Summary The net-snmp library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-68615 DESCRIPTION: net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet ...
Security Bulletin: Vulnerability in kernel library (CVE-2022-50865) affects Power HMC.
Summary The kernel library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2022-50865 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcpaddbacklog Th...
Security Bulletin: Vulnerabilities in openssh library (CVE-2025-61984, CVE-2025-61985) affect Power HMC.
Summary The openssh library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-61984 DESCRIPTION: ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources,...
Security Bulletin: Vulnerabilities in Apache Tomcat Server (CVE-2025-61795, CVE-2025-66614, CVE-2026-24733, CVE-2026-24734) affect Power HMC.
Summary The Apache Tomcat Server is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-61795 DESCRIPTION: Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred including exceeding limits...
Security Bulletin: Vulnerability in expat library (CVE-2025-59375) affects Power HMC.
Summary The expat library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-59375 DESCRIPTION: libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is...
Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to path traversal (CVE-2026-29045) loss of integrity (CVE-2026-29085) and loss of confidentiality (CVE-2026-29086)
Summary Node.js module hono is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to path traversal CVE-2026-29045 loss of integrity CVE-2026-29085 and loss of confidentiality CVE-2026-29086. This bulletin provides patch...
Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to cross-site scripting (CVE-2026-25896)
Summary Node.js module fast-xml-parser is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to cross-site scripting. This bulletin provides patch information to address the reported vulnerability in Node.js module...
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to remote code execution (CVE-2026-27212)
Summary Node.js module swipper is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to remote code execution. This bulletin provides patch information to address the reported vulnerability in Node.js...
Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to loss of confidentiality (CVE-2025-68121)
Summary IBM App Connect Enterprise Certified Container operator and DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Golang module crypto/tls...
Security Bulletin: IBM App Connect Enterprise Certified Container flows that use the Box or Databricks connectors are vulnerable to loss of confidentiality (CVE-2026-27699)
Summary Node.js module basic-ftp is used by IBM App Connect Enterprise Certified Container in the connectors for Box and Databricks. IBM App Connect Enterprise Certified Container IntergationRuntime and IntegrationServer operands that run flows containing Box or Databricks connectors are vulnerab...
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service due to qs (CVE-2025-15284)
Summary The qs package is used in the Gateway Director and UI components. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits f...
Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.
Summary Maximo AI Service uses wheel-0.41.3-py3-none-any.whl, orjson-3.10.14-cp311-cp311-manylinux217x8664.manylinux2014x8664.whl, pythonmultipart-0.0.21-py3-none-any.whl, pyasn1-0.6.1.tar.gz, sentencepiece-0.2.0-cp311-cp311-manylinux217x8664.manylinux2014x8664.whl, tar-7.4.3.tgz, tar-7.5.2.tgz...
Security Bulletin: Maximo AI Service uses tar-7.4.3.tgz which is vulnerable to CVE-2026-23745 and CVE-2026-23950.
Summary Maximo AI Service uses tar-7.4.3.tgz which is vulnerable to CVE-2026-23745 and CVE-2026-23950. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-23950 DESCRIPTION: node-tar,a Tar for Node.js, has a race condition...
Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.
Summary Maximo AI Service uses transformers-4.48.3-py3-none-any.whl, transformers-4.50.0-py3-none-any.whl, transformers-4.52.1-py3-none-any.whl, transformers-4.53.0-py3-none-any.whl, transformers-4.57.3-py3-none-any.whl, urllib3-1.26.19-py2.py3-none-any.whl, urllib3-2.1.0-py3-none-any.whl,...
Security Bulletin: Maximo AI Service uses werkzeug-3.1.4-py3-none-any.whl, filelock-3.20.1-py3-none-any.whl which is vulnerable to CVE-2026-21860 and CVE-2026-22701.
Summary Maximo AI Service uses werkzeug-3.1.4-py3-none-any.whl, filelock-3.20.1-py3-none-any.whl which is vulnerable to CVE-2026-21860 and CVE-2026-22701. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-22701 DESCRIPTION: filelo...
Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed in IBM Business Automation Manager Open Editions 9.4.0 Vulnerability Details CVEID:CVE-2026-1525 DESCRIPTION: Undici allows duplicate HTTP Content-Length headers when they...
Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed in IBM Business Automation Manager Open Editions 9.4.0 Vulnerability Details CVEID:CVE-2026-27601 DESCRIPTION: Underscore.js is a utility-belt library for JavaScript. Prior...
Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by a denial of service due to Apache Commons FileUpload
Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by a denial of service due to Apache Commons FileUpload CVE-2025-48976 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...
Security Bulletin: Multiple vulnerabilites in IBM Rational Build Forge.
Summary IBM Rational Build Forge 8.0.0.30 addresses multiple vulnerabilites Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are...
Security Bulletin: Multiple vulnerabilities in IBM DevOps Release
Summary IBM DevOps Release 7.0.0.7 addresses multiple vulnerabilities. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostNam...
Security Bulletin: Vulnerability in IBM Java, Websphere, OpenSSL, libcurl, and Apache Commons may affect IBM Storage Protect Backup-Archive Client, IBM Storage Protect for Virtual Environments and IBM Storage Protect for Space Management
Summary IBM Spectrum Protect Backup-Archive Client, IBM Storage Protect for Virtual Environments and IBM Storage Protect for Space Management can be affected by logging and security vulnerabilities. This update improves reliability of Java object property handling, modern logging frameworks and...
Security Bulletin: Security Vulnerabilities have been found in IBM Verify Identity Access Digital Credentials
Summary Security Vulnerabilities have been addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2026-27837 DESCRIPTION: Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for...
Security Bulletin: Incorrect administrative access control in IBM DataPower Gateway
Summary This issue allowed valid administrative users to see services within domains to which they should have had no access. Vulnerability Details CVEID:CVE-2025-36373 DESCRIPTION: IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user...
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.0.2 Vulnerability Details CVEID:CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable...