Security Bulletin: Vulnerabilities in smarty and axios might affect IBM Storage Defender Sentinel Anomaly Scan Engine.

Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by vulnerabilities in smarty and axios. Vulnerabilities include allowing an attacker to inject malicious scripts into a Web page and steal cookie-based authentication credentials, execute arbitrary code on the system, and...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server and WebSphere Application Server Liberty are affected by SMTP injection due to Jakarta Mail (CVE-2025-7962)

Summary A vulnerability in javaMail-1.5, javaMail-1.6, mail-2.0, or mail-2.1 features affects IBM WebSphere Application Server Liberty 17.0.0.3 - 25.0.0.11 with specific features enabled. Following IBM® Engineering Lifecycle Management products are vulnerable to this attack, and addressed in this...

Security Bulletin: TS4500 Tape Library/Diamondback Tape Library addresses security vulnerability CVE-2025-36239

Summary The Web UI page that prompts a user to change their expired password was vulnerable to cross-site scripting XSS, because a URL parameter was used directly in HTML output without sanitization. An authenticated user with access to this page could inject arbitrary JavaScript. The impact was...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Orchestrator

Summary Multiple vulnerabilities were addressed in IBM Aspera Orchestrator 4.1.1 Vulnerability Details CVEID:CVE-2025-13211 DESCRIPTION: IBM Aspera Orchestrator could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency...

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions.

Summary Multiple vulnerabilities were addressed in IBM Business Automation Manager Open Editions 9.3.1. Vulnerability Details CVEID:CVE-2025-61748 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component:...

Security Bulletin: Formidable 2.1.0–3.5.2 Uses Non-Cryptographically Secure hexoid for Filename Randomization, affects watsonx.data

Summary Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." Also, there is a scenario in which only the last two characters of a hexoid...

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Configuration Manager ( CVE-2025-53066, CVE-2025-53057).

Summary Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, used by IBM Tivoli Network Configuration Manager IP Edition Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions...

Security Bulletin: AIX is vulnerable to a denial of service (CVE-2025-9086) due to cURL libcurl

Summary Vulnerability in cURL libcurl could allow a remote attacker to cause a denial of service CVE-2025-9086. AIX uses cURL libcurl as part of rsyslog, LV/PV encryption integration with HPCS and in Live Update for interacting with HMC. Vulnerability Details CVEID:CVE-2025-9086 DESCRIPTION: 1. A...

Security Bulletin: IBM OmniFind Text Search Server for DB2 for i is affected by multiple vulnerabilities.  [CVE-2017-15691, CVE-2024-47072, CVE-2024-45492, CVE-2024-25269, CVE-2024-36052]

Summary IBM OmniFind Text Search Server for DB2 for i is vulnerable to overflow attacks CVE-2024-47072, CVE-2024-45492, Improper Restriction of XML External Entity Reference attack CVE-2017-15691, Uncontrolled Resource Consumption attack CVE-2024-25269, and Improper Neutralization attack...

Security Bulletin: IBM InfoSphere Information Server is affected by a server-side request forgery (CVE-2025-12832)

Summary A server-side request forgery vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-12832 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send...

Security Bulletin: Multiple Vulnerabilities affect IBM Tivoli Business Service Manager

Summary IBM Tivoli Netcool Impact is a component of the IBM Tivoli Business Service Manager data server. Multiple vulnerabilities were addressed in IBM Tivoli Netcool Impact version 7.1.1.0 Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with...

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2025-47914 DESCRIPTION: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the...

Security Bulletin: IBM Storage Defender: Data Protect critical vulnerabilities resolved in release Defender 2.1.0/Data Protect 7.3

Summary IBM Storage Defender: Data Protect critical vulnerabilities resolved in release Defender 2.1.0/Data Protect 7.3. The vulnerabilities have been addressed in Data Protect 7.3, which is included in IBM Storage Defender 2.1.0 Vulnerability Details CVEID:CVE-2025-20260 DESCRIPTION: A...

Security Bulletin: A vulnerability in Go affects IBM Robotic Process Automation for Cloud Pak and may result in tags incorrectly marked as self-closing (CVE-2025-22872).

Summary A vulnerability in Go affects IBM Robotic Process Automation for Cloud Pak and may result in tags incorrectly marked as self-closing. Go is used by IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes required to resolve the...

Security Bulletin: A vulnerability in RedHat UBI affects IBM Robotic Process Automation for Cloud Pak and may result in denial of service (CVE-2024-12243).

Summary A vulnerability in RedHat UBI affects IBM Robotic Process Automation for Cloud Pak and may result in a denial of service. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address this vulnerability...

Security Bulletin: IBM Transformation Extender Advanced is affected by a IBM WebSphere Application Server Liberty vulnerability

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is vulnerable to IBM WebSphere Application Server Liberty cross-site scripting vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Product...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Guardium Key Lifecycle Manager

Summary IBM Db2 is shipped as a component of IBM Guardium Key Lifecycle Manager. Information about multiple security vulnerabilities affecting IBM Db2 has been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by cross-site scripting

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by cross-site scripting CVE-2025-12635 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions...

Security Bulletin: IBM® Db2® is affected by a vulnerability in the mongo library (CVE-2025-0755)

Summary IBM® Db2® is affected by a vulnerability in MongoDB C driver library and may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size INT32MAX, resulting in a segmentation fault and possible applicatio...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service using a specially crafted SQL statement (CVE-2025-33143).

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause a denial of service using a specially crafted SQL statement that performs uncontrolled recursion. Vulnerability Details CVEID:CVE-2025-33143 DESCRIPTION: IBM Db2 for Linux, UNIX and...

Security Bulletin: IBM® Db2® is vulnerable to denial of service when running federated queries with the certain condition (CVE-2025-36071)

Summary IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted federated query due to improper release of memory resources. Vulnerability Details CVEID:CVE-2025-36071 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes DB2...

Security Bulletin: IBM® Db2® is vulnerable to a stack-based buffer overflow (CVE-2025-33092)

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a stack-based buffer overflow in db2fm, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. Vulnerability Details CVEID:CVE-2025-33092...

Security Bulletin: IBM® Db2® federated server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2024-51473)

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server federated server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-51473 DESCRIPTION: IBM Db2 for Linux, UNIX and Window...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2024-49828)

Summary IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-49828 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as t...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions (CVE-2025-2533)

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2025-2533 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service under specific conditions (CVE-2025-36010)

Summary IBM Db2 for Linux, UNIX and Windows includes DB2 Connect Server could allow an unauthenticated user to cause a denial of service due to executable segments that are waiting for each other to release a necessary lock. Vulnerability Details CVEID:CVE-2025-36010 DESCRIPTION: IBM Db2 for Linu...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query when lock event monitor is activated (CVE-2024-52894)

Summary IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query when lock event monitor is activated. Vulnerability Details CVEID:CVE-2024-52894 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is...

Security Bulletin: IBM® Db2® is affected by a vulnerability in the corosync library. (CVE-2025-30472)

Summary If encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orftokenendianconvert in exec/totemsrp.c via a large UDP packet. Note, this vulnerability has been fixed in Corosync 3.1.7-3 for Db2 11.5.9 and Corosync 3.1.8-6 for Db2 12.1.2 and late...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service with a specially crafted query. (CVE-2025-33114)

Summary IBM® Db2® is vulnerable to denial of service with a specially crafted query under certain non-default conditions. Vulnerability Details CVEID:CVE-2025-33114 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes DB2 Connect Server is vulnerable to denial of service with a specially...

Security Bulletin: IBM® Db2® is vulnerable to users regaining access without admin help after account lockout (CVE-2025-33012)

Summary IBM® Db2® is vulnerable to allowing an authenticated user to regain access after account lockout due to password use after expiration date. Vulnerability Details CVEID:CVE-2025-33012 DESCRIPTION: IBM Db2 for Linux could allow an authenticated user to regain access after account lockout du...

Security Bulletin: IBM® Db2® is vulnerable to running out of memory under certain conditions (CVE-2025-33134)

Summary IBM® Db2® for Linux, UNIX and Windows includes Db2 Connect Server has a certain table function that leaks 4KB of memory each time it is called. Repetitively calling this functionality may eventually lead to a denial of service of the Db2 Server. Note that only users who have authenticated...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2025-2534)

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2025-2534 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2024-47118)

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-47118 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2...

Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in json-smart 2.5.0 (CVE-2024-57699)

Summary IBM® Db2® federated server is vulnerable to a security issue that was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of '', a stack exhaustion can be triggered, which could allow an attacker to cause a Denial of...

Security Bulletin: IBM® Db2® federated server is vulnerable to a denial of service under specific conditions (PRISMA-2023-0067)

Summary IBM® Db2® federated server is affected by a denial of service vulnerability in FasterXML Jackson Core, caused by improper input validation by the StreamReadConstraints value field. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service due to the improper release of resources after use (CVE-2025-36006)

Summary IBM® Db2® could allow an authenticated user to cause a denial of service due to the improper release of resources after use. Vulnerability Details CVEID:CVE-2025-36006 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause a...

Security Bulletin: IBM® Db2® Pacemaker is vulnerable to a denial of service due to improper allocation of resources (CVE-2025-36008)

Summary IBM® Db2® could allow an authenticated user to cause a denial of service due to improper allocation of resources. Note that this only affects users running Highly Available automation using Pacemaker. This includes Mutual Failover, High Availability Disaster Recovery HADR, pureScale or...

Security Bulletin: IBM® Db2® federated Server is vulnerable to sensitive information disclosure under specific conditions (PRISMA-2021-0055)

Summary IBM® Db2® federated Server is affected by a vulnerability in Apache Commons Codec that could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. An attacker could exploit this vulnerability using a method call to obtain sensitive informatio...

Security Bulletin: IBM® Db2® is vulnerable to privilege escalation under specific configurations (CVE-2025-36186)

Summary IBM® Db2® under specific configurations could allow a local user to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. Vulnerability Details CVEID:CVE-2025-36186 DESCRIPTION: IBM Db2 for Linux,...

Security Bulletin: IBM® Db2® is vulnerable to information disclosure and credential exposure to privileged users under specific conditions (CVE-2025-36131)

Summary IBM® Db2® clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system. Vulnerability Details CVEID:CVE-2025-36131 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server clpplus command exposes...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service due to the database monitor script incorrectly detecting that the instance is still starting under specific conditions (CVE-2025-36136)

Summary IBM® Db2® could allow a local user to cause a denial of service due to the database monitor script incorrectly detecting that the instance is still starting under specific conditions. Vulnerability Details CVEID:CVE-2025-36136 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes DB2...

Security Bulletin: An authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits, affects watsonx.data

Summary An authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2025-36140 DESCRIPTION: IBM Lakehouse could allow an authenticated user to cause a denial of...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.309 Vulnerability Details CVEID:CVE-2025-9900 DESCRIPTION: A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafte...

Security Bulletin: IBM Planning Analytics Local is vulnerable to disclosing sensitive information (CVE-2025-36437)

Summary A sensitive information disclosure vulnerability was addressed in the File manager component of IBM Planning Analytics Local - IBM Planning Analytics Workspace 2.1.16. Vulnerability Details CVEID:CVE-2025-36437 DESCRIPTION: IBM Planning Analytics Local could disclose sensitive information...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses form-data-4.0.0.tgz, form-data-4.0.1.tgz, form-data-4.0.3.tgz which are vulnerable to CVE-2025-7783.

Summary IBM Maximo Application Suite - Monitor Component uses form-data-4.0.0.tgz, form-data-4.0.1.tgz, form-data-4.0.3.tgz which are vulnerable to CVE-2025-7783. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of...

Security Bulletin: IBM Guardium Data Protection is affected by a Apache/Tomcat Vulnerabilities related to cxf-core-3.5.10.jar vulnerability (CVE-2025-48913)

Summary IBM Guardium Data Protection has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2025-48913 DESCRIPTION: If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilitie...

Security Bulletin: IBM Edge Data Collector uses django-4.2.24-py3-none-any.whl which is vulnerable to CVE-2025-59681, CVE-2025-59682.

Summary IBM Edge Data Collector uses django-4.2.24-py3-none-any.whl which is vulnerable to CVE-2025-59681, CVE-2025-59682. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-59681 DESCRIPTION: An issue was discovered in Django 4.2 before 4.2.25,...

Security Bulletin: IBM Datapower Operations Dashboard could allow allow a man-in-the-middle attacker to intercept connections CVE-2025-49146

Summary postgresql is used in KeyCloak which is used by the IBM Datapower Operations Dashboard for authentication and authorization Vulnerability Details CVEID:CVE-2025-49146 DESCRIPTION: pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC drive...

Security Bulletin: IBM Datapower Operations Dashboard could be vulnerable to an out-of-memory (OOM) issue CVE-2025-2240

Summary Smallrye is used by the IBM Datapower Operations Dashboard for repository hosting including build, CI, and release publishing setup Vulnerability Details CVEID:CVE-2025-2240 DESCRIPTION: A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory OOM...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint

Summary IBM SDK, Java Technology Edition Quarterly CPU - Oct 2025 - Includes vulnerablity fix for Java SE related to the JAXP component and Security component CVE-2025-53066 and CVE-2025-53057 Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related ...