Security Bulletin: There is a vulnerability in lz4-java-1.8.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-66566)

Summary There is a vulnerability in lz4-java-1.8.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-66566 DESCRIPTION: yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based...

Security Bulletin: There is a vulnerability in pyasn1-0.6.1.tar.gz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-23490)

Summary There is a vulnerability in pyasn1-0.6.1.tar.gz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-23490 DESCRIPTION: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads ...

Security Bulletin: There is a vulnerability in lz4-java-1.7.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-12183)

Summary There is a vulnerability in lz4-java-1.7.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of...

Security Bulletin: WebSphere Application Server Liberty is affected by SMTP injection due to Jakarta Mail (CVE-2025-7962)

Summary WebSphere Application Server Liberty is affected by SMTP injection due to Jakarta Mail Vulnerability Details CVEID:CVE-2025-7962 DESCRIPTION: In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages...

Security Bulletin: There is a vulnerability in urllib3-2.5.0-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-66418)

Summary There is a vulnerability in urllib3-2.5.0-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0,...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2024-38820,CVE-2025-22233)

Summary Spring MVC controller vulnerable to a DoS attack and DataBinder Case Sensitive Match Exception. These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However,...

Security Bulletin: Arbitrary Code Execution in Logback-Core via Conditional Configuration Processing, affects watsonx.data

Summary QOS.CH logback-core up to and including version 1.5.18 is vulnerable to arbitrary code execution due to unsafe conditional configuration file processing. An attacker with existing privileges can exploit this by modifying an existing Logback configuration file or injecting a malicious...

Security Bulletin: The IBM Maximo Application Suite AI-Service component uses multiple third-party dependencies that contain vulnerabilities associated with multiple CVEs.

Summary The IBM Maximo Application Suite AI-Service component uses"langchaincore-0.3.29-py3-none-any.whl, langchaincore-0.3.80-py3-none-any.whl, jsonpath-plus-8.1.0.tgz, mlflow-2.19.0-py3-none-any.whl, pg8000-1.31.2-py3-none-any.whl" which are vulnerable to "CVE-2025-68664, CVE-2024-21534,...

Security Bulletin: The IBM Maximo Application Suite AI-Service component uses multiple third-party dependencies that contain vulnerabilities associated with multiple CVEs.

Summary The IBM Maximo Application Suite AI-Service component uses"base-x-4.0.0.tgz, body-parser-1.20.2.tgz, cross-spawn-7.0.3.tgz, glob-10.4.2.tgz, path-to-regexp-0.1.7.tgz, qs-6.13.0.tgz, qs-6.14.0.tgz, qs-6.5.3.tgz, urllib3-2.6.2-py3-none-any.whl" which are vulnerable to "CVE-2025-27611,...

Security Bulletin: The IBM Maximo Application Suite AI-Service component uses multiple third-party dependencies that contain vulnerabilities associated with multiple CVEs.

Summary The IBM Maximo Application Suite AI-Service component uses"fonttools-4.44.3-cp311-cp311-manylinux217x8664.manylinux2014x8664.whl, fonttools-4.55.3-cp311-cp311-manylinux217x8664.manylinux2014x8664.whl, werkzeug-3.0.6-py3-none-any.whl, filelock-3.13.4-py3-none-any.whl,...

Security Bulletin: The IBM Maximo Application Suite AI-Service component uses multiple third-party dependencies that contain vulnerabilities associated with multiple CVEs.

Summary The IBM Maximo Application Suite AI-Service component uses "FlaskCors-4.0.2-py2.py3-none-any.whl, langchaincommunity-0.3.3-py3-none-any.whl, langchaincore-0.3.29-py3-none-any.whl, langchaintextsplitters-0.3.5-py3-none-any.whl, pdfminersix-20250327-py3-none-any.whl,...

Security Bulletin: The IBM Maximo Application Suite IoT component uses "urllib3-2.5.0-py3-none-any.whl" which are vulnerable to "CVE-2025-66418, CVE-2025-66471".

Summary The IBM Maximo Application Suite IoT component uses "urllib3-2.5.0-py3-none-any.whl" which are vulnerable to "CVE-2025-66418, CVE-2025-66471". This bulletin contains information regarding the vulnerabilities and how they are addressed. Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTIO...

Security Bulletin: IBM WebSphere Application Server Liberty is affected by a remote code execution vulnerability (CVE-2025-14914)

Summary IBM WebSphere Application Server Liberty is affected by a remote code execution vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details CVEID:CVE-2025-14914 DESCRIPTION: IBM WebSphere Application Server Liberty could allow a privileged user to...

Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2025-36436

Summary IBM Business Automation Workflow is vulnerable to a Cross-site scripting attack. Vulnerability Details CVEID:CVE-2025-36436 DESCRIPTION: IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary...

Security Bulletin: Security vulnerability in min-document may affect IBM Business Automation Workflow - CVE-2025-57352

Summary IBM Business Automation Workflow packages a vulnerable copy of min-document. Vulnerability Details CVEID:CVE-2025-57352 DESCRIPTION: A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttribute...

Security Bulletin: XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow - CVE-2025-13096

Summary IBM Business Automation Workflow is vulnerable to a XML eXternal Entity injection XXE attack. Vulnerability Details CVEID:CVE-2025-13096 DESCRIPTION: IBM Business Automation Workflow is vulnerable to an XML external entity injection XXE attack when processing XML data. A remote attacker...

Security Bulletin: Weaker than expected SQL injection protection may affect IBM Business Automation Workflow traditional - CVE-2025-5878

Summary IBM Business Automation Workflow embedded Navigator packages a vulnerable library of ESAPI. Vulnerability Details CVEID:CVE-2025-5878 DESCRIPTION: A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of t...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.6 Vulnerability Details CVEID:CVE-2021-3999 DESCRIPTION: A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd may lead to memory corruption when the size of the buffer is exactly 1. A loc...

Security Bulletin: Multiple secuirty vulnerabilies addressed with IBM Business Automation Workflow containers January 2026

Summary In addition to updating many operating system level packages, IBM Business Automation Workflow container fixes address the following vulnerabilities. Vulnerability Details CVEID:CVE-2025-47912 DESCRIPTION: The Parse function permits values other than IPv6 addresses to be included in squar...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF008. Vulnerability Details CVEID:CVE-2019-17543 DESCRIPTION: LZ4 before 1.9.2 has a heap-based buffer overflow in...

Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak System

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak System version 2.3.6.1. Vulnerability Details CVEID:CVE-2025-0395 DESCRIPTION: When the assert function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and...

Security Bulletin: Due to IBM Storage Scale, IBM Cloud Pak System is affected by multiple vulnerabilities [CVE-2025-48976, CVE-2025-30204, CVE-2025-1137].

Summary Execute privileged command and denial of service vulnerabilities found in IBM Storage Scale previously known as IBM Spectrum Scale affect IBM Cloud Pak System. These vulnerabilities were addressed in IBM Cloud Pak System v2.3.6.1. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION:...

Security Bulletin: Due to the use of IBM Db2, IBM Cloud Pak System is affected by multiple vulnerabilities

Summary Vulnerabilities found in IBM Db2 LUW that affect Foundation and IBM Tivoli Monitoring ITM pattern Types pTypes shipped with IBM Cloud Pak System. Vulnerabilities were addressed in IBM Cloud Pak System. IBM Cloud Pak System v2.3.6.1 has updated Foundation and ITM pTypes to Foundation versi...

Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ affect IBM Cloud Pak System

Summary Multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition were addressed in IBM Cloud Pak System version 2.3.6.1. Vulnerability Details CVEID:CVE-2025-30754 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Orac...

Security Bulletin: Due to use of VMware vCenter, IBM Cloud Pak System is affected by header injection and denial-of-service vulnerabilities [CVE-2025-41250,CVE-2025-41241]

Summary Due to use of VMware vCenter, IBM Cloud Pak System is affected by header injection and denial-of-service vulnerabilities CVE-2025-41250,CVE-2025-41241. IBM Cloud Pak System has addressed these vulnerabilities. IBM Cloud Pak System includes the patched vCenter Server 8.0 U3g release as par...

Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System

Summary Vulnerabilities in VMware ESXi affect IBM Cloud Pak System. IBM Cloud Pak System has addressed vulnerabilities. Cloud Pak Sytem has delivered updated workload nodes to VMware ESXi 83U3g. Vulnerability Details CVEID:CVE-2025-41236 DESCRIPTION: VMware ESXi, Workstation, and Fusion contain a...

Security Bulletin: A MongoDB zlib protocol flaw lets unauthenticated clients read uninitialized heap memory in multiple versions prior to patched releases.

Summary Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Denial of Service (DoS) due to malformed token parsing in golang.org/x/oauth2 module (CVE-2025-22868)

Summary Potential vulnerabilities in golang.org/x/oauth2 module CVE-2025-22868 have been identified that may affect IBM Cloud Pak for Data Vulnerability Details CVEID:CVE-2025-22868 DESCRIPTION: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during...

Security Bulletin: IBM® Db2® is vulnerable to privilege escalation under specific configuration of cataloged remote storage aliases (CVE-2025-36365)

Summary IBM® Db2® under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. Vulnerability Details CVEID:CVE-2025-36365 DESCRIPTION: IBM Db2 for Linux...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to service disruption due to memory exhaustion vulnerability in expression parser

Summary Potential vulnerabilities in github.com/Expr-lang/expr module CVE-2025-29786 have been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-29786 DESCRIPTION: Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if th...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to DoS due to unbounded memory allocation in golang.org/x/crypto SSH implementation (CVE-2025-22869)

Summary Potential vulnerabilities in golang.org/x/crypto module CVE-2025-22869 have been identified that may affect IBM Cloud Pak for Data Vulnerability Details CVEID:CVE-2025-22869 DESCRIPTION: SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Regular Expression Denial of Service (ReDoS) due to cross-spawn

Summary cross-spawn is used by IBM watsonx Orchestrate Developer Edition as part of image: tools-runtime Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReD...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Server-Side Request Forgery (SSRF) due to urllib3

Summary urllib3 is used by IBM watsonx Orchestrate Developer Edition as part of image: wxo-builder Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiati...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to HTTP Request Smuggling vulnerability due to gunicorn

Summary gunicorn is used by IBM watsonx Orchestrate Developer Edition as part of image: wxo-rag-tool Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- IBM watsonx Orchestrate Developer...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Path Traversal vulnerability due to github.com/gin-gonic/gin

Summary github.com/gin-gonic/gin is used by IBM watsonx Orchestrate Developer Edition as part of image: tools-runtime-manager Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- IBM watson...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.3.0 Vulnerability Details CVEID:CVE-2025-57319 DESCRIPTION: fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore functio...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses glob which is vulnerable to CVE-2025-64756.

Summary IBM Maximo Application Suite - Visual Inspection component uses glob which is vulnerable to CVE-2025-64756, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the she...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang-jwt which is vulnerable to CVE-2025-30204

Summary IBM Maximo Application Suite - Visual Inspection component uses golang-jwt which is vulnerable to CVE-2025-30204, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-30204 DESCRIPTION: golang-jwt is a Go implementation o...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge which is vulnerable to CVE-2025-66030, CVE-2025-66031

Summary IBM Maximo Application Suite - Visual Inspection component uses node-forge which is vulnerable to CVE-2025-66030, CVE-2025-66031, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-66030 DESCRIPTION: Forge also called...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge which is vulnerable to CVE-2025-12816

Summary IBM Maximo Application Suite - Visual Inspection component uses node-forge which is vulnerable to CVE-2025-12816 , This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-12816 DESCRIPTION: An interpretation-conflict CWE-436...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses min-document which is vulnerable to CVE-2025-57352

Summary IBM Maximo Application Suite - Visual Inspection component uses min-document which is vulnerable to CVE-2025-57352, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-57352 DESCRIPTION: A vulnerability exists in the...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is affected by SMTP injection due to Jakarta Mail and vulnerable to CVE-2025-7962.

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is affected by SMTP injection due to Jakarta Mail and vulnerable to CVE-2025-7962. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses urllib3-2.5.0-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471.

Summary IBM Maximo Application Suite - Monitor Component uses urllib3-2.5.0-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION: urllib3 is a...

Security Bulletin: IBM Edge Data Collector uses urllib3-2.5.0-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471.

Summary IBM Edge Data Collector uses urllib3-2.5.0-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION: urllib3 is a user-friendly HTTP client...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses systeminformation-5.25.11.tgz which are vulnerable to CVE-2025-68154.

Summary IBM Maximo Application Suite - Monitor Component uses systeminformation-5.25.11.tgz which are vulnerable to CVE-2025-68154. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-68154 DESCRIPTION: systeminformation is a System...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses jws-3.2.2.tgz which are vulnerable to CVE-2025-65945.

Summary IBM Maximo Application Suite - Monitor Component uses jws-3.2.2.tgz which are vulnerable to CVE-2025-65945. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature...

Security Bulletin: IBM Edge Data Collector uses jws-3.2.2.tgz which are vulnerable to CVE-2025-65945.

Summary IBM Edge Data Collector uses jws-3.2.2.tgz which are vulnerable to CVE-2025-65945. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In...

Security Bulletin: IBM Edge Data Collector uses bootstrap-table-1.18.1.min.js, bootstrap-table-1.18.2.min.js, bootstrap-table-export-1.18.2.min.js which are vulnerable to CVE-2022-1726, CVE-2021-23472.

Summary IBM Edge Data Collector uses bootstrap-table-1.18.1.min.js, bootstrap-table-1.18.2.min.js, bootstrap-table-export-1.18.2.min.js which are vulnerable to CVE-2022-1726, CVE-2021-23472. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses lz4-java-1.8.0.jar which is vulnerable to CVE-2025-12183, CVE-2025-66566.

Summary IBM Maximo Application Suite - Monitor Component uses lz4-java-1.8.0.jar which is vulnerable to CVE-2025-12183, CVE-2025-66566. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-66566 DESCRIPTION: yawkat LZ4 Java provides...

Security Bulletin: IBM Edge Data Collector uses django-4.2.26-py3-none-any.whl which are vulnerable to CVE-2025-13372, CVE-2025-64460.

Summary IBM Edge Data Collector uses django-4.2.26-py3-none-any.whl which are vulnerable to CVE-2025-13372, CVE-2025-64460. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-13372 DESCRIPTION: An issue was discovered in 5.2 before...