Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal in Python [CVE-2025-4517]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal due to an issue in Python that allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". CVE-2025-4517. Python is used in our speech service runtimes. This vulnerabilitiy...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Authorization in Spring Framework [CVE-2025-41249]

Summary IBM Watson Speech Services Cartridge is vulnerable to Improper Authorization in Spring Framework, due to an issue where the annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch [CVE-2025-2953]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch, due to an issue found in PyTorch 2.6.0+cu124 that affects the function torch.mkldnnmaxpool2d CVE-2025-2953. PyTorch is used in our service runtimes. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal in Python [CVE-2025-4138]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal due to an issue in in Python that allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. CVE-2025-4138. Python is us...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal in Python [CVE-2025-4330]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal due to an issue in Python that allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata CVE-2025-4330. Python is used i...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal in Python [CVE-2024-12718]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal in Python, due to issues with filter="data" or file permissions chmod with filter="tar" which allow modifying some metadata of files outside the extraction directory CVE-2024-12718. Python is used in our speech service...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an incorrect calculation in python [CVE-2025-4435]

Summary IBM Watson Speech Services Cartridge is vulnerable to an incorrect calculation in python, due to an issue with 'TarFile.errorlevel = 0 ' that causes filtered members to be skipped and not extracted CVE-2025-4435. Python is used in our speech service runtimes. This vulnerabilitiy has been...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Denial of Service due to snake-yaml (CVE-2022-25857)

Summary IBM App Connect Enterprise Toolkit is vulnerable to Denial of Service due to snake-yaml. Vulnerability Details CVEID:CVE-2022-25857 DESCRIPTION: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service DoS due missing to nested depth limitation for...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)[CVE-2023-43804, CVE-2023-45803]

Summary The urllib3 package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEsCVE-2023-43804, CVE-2023-45803 Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. urllib3...

Security Bulletin:Vulnerability in OpenSSH affects IBM Netezza Appliance

Summary The OpenSSH package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-26465 Vulnerability Details CVEID:CVE-2025-26465 DESCRIPTION: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle...

Security Bulletin: Vulnerability in OpenPrinting CUPS affects IBM Netezza Appliance

Summary The OpenPrinting CUPS package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2025-58060, CVE-2025-58364 Vulnerability Details CVEID:CVE-2025-58060 DESCRIPTION: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like...

Security Bulletin:Vulnerability in Netty affects IBM Netezza Appliance

Summary The Netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-55163 Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and...

Security Bulletin:Vulnerability in libxml2 affects IBM Netezza Appliance

Summary The libxml2 package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-32415 Vulnerability Details CVEID:CVE-2025-32415 DESCRIPTION: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-bas...

Security Bulletin: IBM MQ Appliance is affected by Java vulnerabilities (CVE-2025-52057 and CVE-2025-53066)

Summary IBM MQ Appliance has addressed Java vulnerabilities. Vulnerability Details CVEID:CVE-2025-53057 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause no confidentiality impact, high integrity impact, and no availabili...

Security Bulletin: Vulnerability in Jinja2 affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-56326, CVE-2024-56201]

Summary The Jinja2 package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-56326, CVE-2024-56201 Vulnerability Details CVEID:CVE-2024-56326 DESCRIPTION: Jinja is an extensible templating engine. Prior to 3.1.5, An oversig...

Security Bulletin: IBM MQ is affected by multiple Java vulnerabilities (CVE-2025-53057, CVE-2025-53066)

Summary Multiple issues were identified with the IBM Runtime Environment, Java Technology Edition and IBM Semeru Runtime Environment which are shipped with IBM MQ Vulnerability Details CVEID:CVE-2025-53057 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component coul...

Security Bulletin: Multiple Vulnerabilities in Java affecting IBM Knowledge Catalog and IBM Match 360 On Cloud Pak for Data

Summary Lineage, an internal component of IBM Knowledge Catalog, and the IBM Match 360 component within IBM Cloud Pak for Data are impacted by vulnerabilities in Java. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-53057 DESCRIPTION: An unspecified vulnerability i...

Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data

Summary IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Prototype Pollution flaw due to lodash.clonedeep

Summary lodash.clonedeep is used by BM watsonx Orchestrate Developer Edition as part of images: agentic-task-manager, wxo-builder-ui, wxo-connections Vulnerability Details CVEID:CVE-2018-16487 DESCRIPTION: A prototype pollution vulnerability was found in lodash 4.17.11 where the functions merge,...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Exposed Dangerous Method or Function, Origin Validation Error due to webpack-dev-server

Summary webpack-dev-server is used by IBM watsonx Orchestrate Developer Edition as part of wxo-chat Vulnerability Details CVEID:CVE-2025-30359 DESCRIPTION: webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1,...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Cross-site Scripting due to serialize-javascript

Summary serialize-javascript is used by IBM watsonx Orchestrate Developer Edition as part of wxo-chat image Vulnerability Details CVEID:CVE-2024-11831 DESCRIPTION: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Improper Input Validation due to postcss

Summary postcss is used by IBM watsonx Orchestrate Developer Edition as part of wxo-chat Vulnerability Details CVEID:CVE-2023-44270 DESCRIPTION: An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepa...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Inefficient Regular Expression Complexity due to nth-check

Summary nth-check is used by IBM watsonx Orchestrate Developer Edition as part of wxo-chat image Vulnerability Details CVEID:CVE-2021-3803 DESCRIPTION: nth-check is vulnerable to Inefficient Regular Expression Complexity CWE:CWE-1333: Inefficient Regular Expression Complexity CVSS Source: IBM...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to HTTP Request Smuggling (HRS) due to gunicorn

Summary gunicorn is used by IBM watsonx Orchestrate Developer Edition as part of wxo-rag-tool image Vulnerability Details CVEID:CVE-2024-6827 DESCRIPTION: Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads ...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Denial of Service (DoS) due to tar

Summary tar is used by IBM watsonx Orchestrate Developer Edition as part of image: tools-runtime Vulnerability Details CVEID:CVE-2024-28863 DESCRIPTION: node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in ip

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in ip Vulnerability Details CVEID:CVE-2023-42282 DESCRIPTION: The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in net/http/internal CVE-2025-22871

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in net/http/internal CVE-2025-22871 Vulnerability Details CVEID:CVE-2025-22871 DESCRIPTION: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in form-data

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in form-data Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Insufficient Random Values (CVE-2025-7783)

Summary Due to the use of the form-data JavaScript library, IBM watsonx Orchestrate Developer Edition is vulnerable to predictable boundary values CVE-2025-7783 Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.0.0 Vulnerability Details CVEID:CVE-2023-36807 DESCRIPTION: pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In version 2.10.5...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data version 5.3 Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a...

Security Bulletin: Due to use of libexpat , IBM Sterling Connect:Direct Web Services is affected by large memory allocations issue.

Summary libexpat is used by IBM Sterling Connect:Direct Web Services CVE-2025-59375. Vulnerability Details CVEID:CVE-2025-59375 DESCRIPTION: libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. CWE:CWE-770:...

Security Bulletin: Due to use of IBM Java, IBM Sterling Connect:Direct Web Service is affected by multiple vulnerabilities.

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE, is affected by multiple vulnerabilities CVE-2025-53066, CVE-2025-53057 . This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerabilit...

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access and IBM Security Verify Access Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE...

Security Bulletin: Security vulnerabilities have been discovered in IBM Verify Identity Access and IBM Security Verify Access

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access and IBM Security Verify Access Vulnerability Details CVEID:CVE-2025-7962 DESCRIPTION: In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate differe...

Security Bulletin: React Server Components RCE (CVE-2025-55182) and related advisories

Summary React Server Components RCE vulnerability. Carbon React and related Carbon React based libraries are not related to this CVE. However, many product teams may depend on the affected libraries via frameworks or plugins. We strongly encourage all teams to verify and upgrade any affected...

Security Bulletin: Multiple Vulnerabilities in IBM Data Product Hub

Summary Multiple vulnerabilities were addressed in IBM Data Product Hub version 5.3 Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities.

Summary There are vulnerabilities in IBM® Java™, IBM® Semeru Runtime and Open-Source Software OSS components used by IBM Cognos Dashboards on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol Buffers data containing an arbitrary...

Security Bulletin: Vulnerability in Netty affects IBM Netezza Appliance

Summary The Netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-59419 Vulnerability Details CVEID:CVE-2025-59419 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and...

Security Bulletin:Vulnerability in SQLite affects IBM Netezza Appliance

Summary The SQLite package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2019-19244, CVE-2019-9936, CVE-2019-9937, CVE-2024-0232 Vulnerability Details CVEID:CVE-2019-19244 DESCRIPTION: sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a...

Security Bulletin: Vulnerability in netty affects IBM Netezza Appliance

Summary The netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-58057 Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high...

Security Bulletin: Vulnerability in Netty affects IBM Netezza Appliance

Summary The Netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-58056 Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framework for development of maintainable high...

Security Bulletin: IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data vulnerable to Deserialization of Untrusted Data due to jackson-core

Summary jackson-core is used by IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data in the repo huts-common Vulnerability Details WSID: WS-2022-0468 DESCRIPTION: The jackson-core package is vulnerable to a Denial of Service DoS attack. The methods in the classes listed below fail to...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data version 5.2.2 Vulnerability Details CVEID:CVE-2025-45767 DESCRIPTION: jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim o...

Security Bulletin: Vulnerability in BIND affects IBM Netezza Appliance

Summary The BIND package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2025-8677, CVE-2025-40780, CVE-2025-40778 Vulnerability Details CVEID:CVE-2025-8677 DESCRIPTION: Querying for records within a specially crafted zone containing certain malforme...

Security Bulletin:Vulnerability in SSSD affects IBM Netezza Appliance

Summary The SSSD package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-11561 Vulnerability Details CVEID:CVE-2025-11561 DESCRIPTION: A flaw was found in the integration of Active Directory and the System Security Services Daemon SSSD on Linux...

Security Bulletin:Vulnerability in Apache Commons HttpClient affects IBM Netezza Appliance

Summary The Apache Commons HttpClient package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2012-5783 Vulnerability Details CVEID:CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java...

Security Bulletin: IBM Tivoli Composite Application Manager for Application Diagnostics installed IBM WebSphere Application Server and WebSphere Application Server Liberty and are affected by cross-site scripting.

Summary The security issue described in CVE-2025-12635 has been identified in the WebSphere Application Server included as part of IBM Tivoli Composite Application Manager for Application Diagnostics. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin:Vulnerability in Apache Commons HttpClient affects IBM Netezza Appliance

Summary The Apache Commons HttpClient package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2012-6153 Vulnerability Details CVEID:CVE-2012-6153 DESCRIPTION: http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not...

Security Bulletin: Vulnerability in gdk-pixbuf2 & gdk-pixbuf2-modules affects IBM Netezza Appliance

Summary The gdk-pixbuf2& gdk-pixbuf2-modules package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2025-6199, CVE-2025-7345 Vulnerability Details CVEID:CVE-2025-6199 DESCRIPTION: A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When a...