Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to remote code execution (CVE-2026-21226)

Summary Python module azure-core is present in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to remote code executiuon. This bulletin provides patch information to address the...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service (CVE-2025-12758, CVE-2025-13466, CVE-2025-14874) and loss of confidentiality (CVE-2025-65945)

Summary IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and loss of confidentiality. This bulletin provides patch information to address the reported vulnerabilities in Node.js modules validator CVE-2025-12758, body-parser CVE-2025-13466, nodemailer...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationRuntime and IntegrationServer operands are vulnerable to loss of confidentiality (CVE-2026-22817, CVE-2026-22818)

Summary IBM App Connect Enterprise Certified Container IntegrationRuntime and IntegrationServer operands are vulnerable to loss of confidentiality due to Node.js module hono. This bulletin provides patch information to address the reported vulnerability in Node.js module hono CVE-2026-22817,...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to loss of confidentiality [CVE-2025-13491]

Summary IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to loss of confidentiality. This is due to insfficient write protection to files inside the mapping assistance image. This bulletin provides patch information to address th...

Security Bulletin: Due to the use of jackson-core, IBM webMethods BPM and IBM webMethods Integration are vulnerable to multiple vulnerabilities

Summary IBM webMethods BPM and IBM webMethods Integration are dependant on jackson-databind which is affected by a known vulnerabilities WS-2022-0468, CVE-2022-42004, CVE-2022-42003, CVE-2023-35116. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM DevOps Code ClearCase (CVE-2026-21925, CVE-2026-21945)

Summary IBM WebSphere Application Server WAS is shipped as a component of IBM DevOps Code ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: A security vulnerability have been identified in IBM WebSphere Application Server shipped with IBM DevOps Code ClearCase (CVE-2025-30754)

Summary IBM WebSphere Application Server WAS is shipped as a component of IBM DevOps Code ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Reliability Strategies was using vulnerable library

Summary Reliability Strategies was using vulnerable library qs-6.13.0 which are vulnerable to CVE-2025-15284 Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. SummaryThe arrayLimit...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability intomcat-embed-core-10.1.42.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability intomcat-embed-core-10.1.42.jar Vulnerability Details CVEID:CVE-2025-55752 DESCRIPTION: Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in brace-expansion-1.1.11.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in brace-expansion-1.1.11.tgz Vulnerability Details CVEID:CVE-2025-5889 DESCRIPTION: A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue ...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in pypdf-6.1.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in pypdf-6.1.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-62707 DESCRIPTION: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in Java SE related to the JAXP component

Summary IBM Watson Discovery Cartridge affected by vulnerability in Java SE related to the JAXP component Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause high confidentiality impac...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in keras-3.11.3-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in keras-3.11.3-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-12060 DESCRIPTION: The keras.utils.getfile API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in WebSphere Application Server Liberty

Summary IBM Watson Discovery Cartridge affected by vulnerability in WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in on-headers-1.0.2.tgz

Summary Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in on-headers-1.0.2.tgz Vulnerability Details CVEID:CVE-2025-7339 DESCRIPTION: on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may result in...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in keras-3.11.3-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in keras-3.11.3-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-12058 DESCRIPTION: The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in axios-1.11.0.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in axios-1.11.0.tgz Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in WebSphere Application Server Liberty

Summary IBM Watson Discovery Cartridge affected by vulnerability in WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-4.1.100.Final.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-4.1.100.Final.jar Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http-4.1.118.Final.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http-4.1.118.Final.jar Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in pypdf-5.6.0-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in pypdf-5.6.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-55197 DESCRIPTION: pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http2-4.1.118.Final.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http2-4.1.118.Final.jar Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerabl...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in Apache Commons FileUpload

Summary IBM Watson Discovery Cartridge affected by vulnerability in Apache Commons FileUpload Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-45768 DESCRIPTION: pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the...

Security Bulletin: Multiple vulnerabilities in IBM Cognos Command Center

Summary Multiple vulnerabilities were addressed in IBM Cognos Command Center 10.2.5 FP1 IF2 Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM HTTP Server shipped with IBM DevOps Code ClearCase [CVE-2025-66200, CVE-2025-59375, CVE-2025-65082, CVE-2025-59775, CVE-2025-58098]

Summary IBM HTTP Server IHS is shipped as a component of IBM DevOps Code ClearCase. Information about a security vulnerability affecting IHS has been published in a security bulletin. CVE-2025-66200, CVE-2025-59375, CVE-2025-65082, CVE-2025-59775, CVE-2025-58098 Vulnerability Details Refer to the...

Security Bulletin: A security vulnerability have been identified in IBM WebSphere Application Server shipped with IBM DevOps Code ClearCase (CVE-2025-12635)

Summary IBM WebSphere Application Server WAS is shipped as a component of IBM DevOps Code ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Vulnerability in IBM WebSphere Application (CVE-2020-36732) affects IBM PowerVM Novalink.

Summary IBM WebSphere Libery Profile is used by IBM PowerVM Novalink. IBM PowerVM Novalink has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an...

Security Bulletin: Multiple vulnerabilities that affects IBM Db2 Data Management Console (CVE-2022-23471, CVE-2023-25153, CVE-2023-25173)

Summary github.com/containerd/containerd, github.com/containerd/containerd/api are dependency packages used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2022-41724 DESCRIPTION: Golang Go is...

Security Bulletin: IBM webMethods Integration Sever is affected by CVE-2025-14150

Summary IBM webMethods Integration server could disclose sensitive user information in server responses. CVE-2025-14150 Vulnerability Details CVEID:CVE-2025-14150 DESCRIPTION: IBM webMethods Integration could disclose sensitive user information in server responses. CWE:CWE-497: Exposure of...

Security Bulletin: IBM Maximo Application Suite uses k8s.io/kubernetes v1.33.1 which is vulnerable to CVE-2025-4563 and CVE-2025-5187

Summary IBM Maximo Application Suite uses k8s.io/kubernetes v1.33.1 which is vulnerable to CVE-2025-4563 and CVE-2025-5187. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-4563 DESCRIPTION: A vulnerability exists in the...

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Cloud Pak System [CVE-2024-56339. CVE-2023-50314]

Summary Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2016-1000027,CVE-2024-22243,CVE-2024-22259,CVE-2024-38809,CVE-2024-22262,CVE-2024-38820,CVE-2024-38828)

Summary Spring MVC controller vulnerable to potential remote code execution RCE , DoS attack and DataBinder Case Sensitive Match Exception. Applications that use UriComponentsBuilder to parse an externally provided URL may be vulnerable to a open redirect...

Security Bulletin: auth0/node-jws HS256 signature verification bypass via improper HMAC secret handling (≤3.2.2, 4.0.0)

Summary auth0/node-jws HS256 signature verification bypass due to improper HMAC secret handling versions ≤ 3.2.2 and 4.0.0 Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0,...

Security Bulletin: Due to use of apache.felix.webconsole, IBM webMethods BPM is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

Summary IBM webMethods BPM is using apache.felix.webconsole. Vulnerability Details CVEID:CVE-2025-25247 DESCRIPTION: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to...

Security Bulletin: Vulnerablity in Apache Log4j may affect IBM APM Internet Service Monitoring Agent

Summary There is a vulnerability in the Apache log4j library used by IBM APM Internet Service Monitoring Agent. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer...

Security Bulletin: Vulnerabilities in IBM Semeru SDK (CVE-2025-53057, CVE-2025-53066) affect Power HMC.

Summary The IBM Semeru SDK is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-53057 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause no...

Security Bulletin: Vulnerability in openssh (CVE-2025-26465) affects Power HMC.

Summary The openssh library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-26465 DESCRIPTION: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in urllib3

Summary Multiple vulnerabilities in urllib3 that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Werkzeug

Summary Multiple vulnerabilities in Werkzeug that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2026-21860 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments wi...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in yawkat LZ4 Java

Summary Multiple vulnerabilities in yawkat LZ4 Java that is used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Progress DataDirect JDBC drivers

Summary Multiple vulnerabilities in Progress DataDirect JDBC drivers that are used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2025-10702 DESCRIPTION: Improper Control of Generation of Code 'Code Injection' vulnerability in Progress DataDirect Connect for JDBC...

Security Bulletin: A SQL Injection vulnerability has been addressed in IBM Aspera Console

Summary A SQL Injection attack could allow specially crafted SQL statements into the appication which could impact the data in the back-end database. This issue has been addressed in IBM Aspera Console version 3.4.8 FP1. Vulnerability Details CVEID:CVE-2025-13379 DESCRIPTION: IBM Aspera Console i...

Security Bulletin: Vulnerability in minimatch-3.0.4.tgz affects IBM Db2 Data Management Console(CVE-2022-3517)

Summary minimatch-3.0.4.tgz open source library is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2022-3517 DESCRIPTION: minimatch is vulnerable to a denial of service, caused by a regular...

Security Bulletin: Security vulnerability in Apache Commons Lang may affect IBM Business Automation Workflow - CVE-2025-48924

Summary IBM Business Automation Workflow packages a vulnerable copy of the Apache Commons Lang open source library. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...

Security Bulletin: Denial of Service vulnerability in axios may affect IBM Business Automation Workflow - CVE-2025-58754

Summary IBM Business Automation Workflow packages a vulnerable version of the axios library. Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs...

Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway

Summary Security Vulnerabilities affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to January 2026 CPU

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in January 2026. These issues are addressed by WebSphere Application Server shipped with WebSphere...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.3.0 Vulnerability Details CVEID:CVE-2025-64512 DESCRIPTION: Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to...

Security Bulletin: There is a vulnerability in werkzeug-3.1.3-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-66221)

Summary There is a vulnerability in werkzeug-3.1.3-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-66221 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin...