Security Bulletin: IBM Documentation Offline is vulnerable to `Node.js ReadFileUtf8 and HTTP Parser flaws` due to Node.js (CVE-2025-23165, CVE-2025-23167)

Summary IBM Documentation Offline utilizes Node.js as a third-party component, which contains two vulnerabilities that could potentially affect your product's stability and security. CVE-2025-23165 CVSS: 3.7 is a Denial of Service DoS vulnerability in the ReadFileUtf8 internal binding. Repeated u...

Security Bulletin: Multiple Vulnerabilities affects IBM License Metric Tool v9.

Summary Multiple vulnerabilities have been remediated in components used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2025-8916 DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All API modules,...

Security Bulletin: Netty HTTP/2 MadeYouReset Vulnerability Allows Bypass of Max Concurrent Streams, Enabling DDoS Attacks, affects watsonx.data

Summary Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max...

Security Bulletin: Netty Affected by Decompression Flaw Where BrotliDecoder Allocates Unlimited Buffers, Enabling DoS, affects watsonx.data

Summary Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to request smuggling due to the Netty package (CVE-2025-58056)

Summary Netty is used by DataStage on Cloud Pak for Data as part of the event processing functionality. Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and...

Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by cross-site scripting (CVE-2025-12635)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by cross-site scripting. Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are affected by cross-site scripting due to...

Security Bulletin: IBM webMethods Integration (on prem) is affected by arbitrary code execution

Summary IBM webMethods Integration on prem uses java objects for displaying graph data CVE-2025-36072 Vulnerability Details CVEID:CVE-2025-36072 DESCRIPTION: IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted...

Security Bulletin: Denial-of-service attack, SQL injection, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service

Summary IBM Storage Defender - Resiliency Service is vulnerable to denial-of-service attack, SQL injection, and others. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-64458 DESCRIPTION: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale Management GUI are now addressed in 5.2.3.5 and 6.0.0.0 (CVE-2025-6493)

Summary The following vulnerabilities, which may affect IBM Storage Scale when the Management GUI is configured and could lead to weaker-than-expected security, have been remediated in Storage Scale version 5.2.3.5 and later and 6.0.0.0 and later CVE-2025-6493 Vulnerability Details...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in the JDBC driver for Apache Hive

Summary Multiple vulnerabilities in the JDBC driver for Apache Hive that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2025-58163 DESCRIPTION: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.185 and earlier...

Security Bulletin: IBM Datapower Operations Dashboard could allow a potential data leak CVE-2025-49574

Summary vert.x is used in KeyCloak which is used by the IBM Datapower Operations Dashboard for authentication and authorization Vulnerability Details CVEID:CVE-2025-49574 DESCRIPTION: Quarkus is a Cloud Native, Linux Container First framework for writing Java applications. In versions prior to...

Security Bulletin: IBM Datapower Operations Dashboard could allow a remote attacker to cause a denial of service CVE-2025-53864

Summary Connect2id Nimbus JOSE + JWT is used by the IBM Datapower Operations Dashboard for Javascript Object Signing and Encryption Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause ...

Security Bulletin: Multiple Vulnerabilities in IBM StreamSets Data Collector

Summary Multiple vulnerabilities were addressed in IBM StreamSets Data Collector version 6.4.0 Vulnerability Details CVEID:CVE-2025-8916 DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All API modules, Legion of...

Security Bulletin: CodeMirror Regex Vulnerability Enables ReDoS Before 5.58.2, affects watsonx.data

Summary This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. Th...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Shares

Summary Multiple vulnerabilities were addressed in IBM Aspera Shares version 1.11.0. Vulnerability Details CVEID:CVE-2017-17718 DESCRIPTION: The Net::LDAP aka net-ldap gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. CWE:CWE-295: Improper Certificate Validation CVSS Source: IBM...

Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-36047)

Summary IBM WebSphere Application Server Liberty is vulnerable to DoS by sending a specially-crafted request attack which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server...

Security Bulletin: DoS vulnerability in Apache Commons FileUpload vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-48976)

Summary IBM WebSphere Application Server Liberty is vulnerable to DoS in Apache Commons FileUpload attack which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers...

Security Bulletin: JMS messaging configuration vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-36124)

Summary IBM WebSphere Application Server Liberty is vulnerable to JMS messaging configuration attack which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center. Vulnerability Details CVEID:CVE-2025-36124 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3...

Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang net library

Summary Golang net library is used by the IBM Storage Protect Server Object Agent and OSSM component. Golang net is vulnerable to IPv6 zone ID mishandling leading to proxy bypass, This bulletin identifies the steps to address the vulnerabilities. CVE-2025-22870. Vulnerability Details...

Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang crypto library

Summary Golang crypto library is used by the IBM Storage Protect Server Object Agent and OSSM component. Golang crypto is vulnerable to Denial of Service, This bulletin identifies the steps to address the vulnerabilities. CVE-2025-22869. Vulnerability Details CVEID:CVE-2025-22869 DESCRIPTION: SSH...

Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang glog library

Summary Golang glog library is used by the IBM Storage Protect Server OSSM component. Golang glog is vulnerable to improper handling of log file existence, This bulletin identifies the steps to address the vulnerabilities. CVE-2024-45339. Vulnerability Details CVEID:CVE-2024-45339 DESCRIPTION: Wh...

Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.

Summary IBM Storage Protect Server, which uses IBM Db2, may be affected by multiple vulnerabilities that could result in denial of service or the loss of confidentiality, integrity. These vulnerabilities include CVE-2024-7254, CVE-2022-3510, CVE-2022-3509, CVE-2022-3171, CVE-2024-49350,...

Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-36097)

Summary IBM WebSphere Application Server Liberty is vulnerable to a denial of service attack which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere...

Security Bulletin: Cross Site Scripting vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-36000)

Summary IBM WebSphere Application Server Liberty is vulnerable to stored cross-site scripting which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center Vulnerability Details CVEID:CVE-2025-36000 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through...

Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-36732)

Summary IBM WebSphere Application Server Liberty is vulnerable to DoS by sending a specially-crafted request attack which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before 3.2.1 fo...

Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang CoreDNS library

Summary Golang CoreDNS library is used by the IBM Storage Protect Server OSSM component. Golang CoreDBS is vulnerable to Denial of service , This bulletin identifies the steps to address the vulnerabilities. CVE-2025-58063. Vulnerability Details CVEID:CVE-2025-58063 DESCRIPTION: CoreDNS is a DNS...

Security Bulletin: IBM Storage Protect Server is vulnerable to remote compromise by unauthenticated attacker with network access via multiple protocols due to IBM SDK, Java (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761,CVE-2025-30754)

Summary IBM SDK, Java is vulnerable to remote compromise by unauthenticated attacker with network access via multiple protocols IBM Storage Protect Server uses IBM SDK, Java and may be affected by this vulnerability. Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the...

Security Bulletin: Security Configuration vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2024-56339)

Summary IBM WebSphere Application Server Liberty is vulnerable to a security configuration attack which can affect IBM Spectrum Protect formerly Tivoli Storage Manager Operations Center. Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere...

Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM

Summary Multiple vulnerabilities were addressed in IBM QRadar SIEM version 7.5.0 UP14 IF02 Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrit...

Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang coredns library

Summary Golang coredns library is used by the IBM Storage Protect Server Object Agent and OSSM component. Golang coredns is vulnerable to Denial of Service, This bulletin identifies the steps to address the vulnerabilities. CVE-2025-47950. Vulnerability Details CVEID:CVE-2025-47950 DESCRIPTION:...

Security Bulletin: Vulnerability in IBM Java may affect IBM Storage Protect Backup-Archive Client, IBM Storage Protect for Virtual Environments and IBM Storage Protect for Space Management

Summary IBM Storage Protect Backup-Archive Client, IBM Storage Protect for Space Management and IBM Storage Protect for Virtual Environments Data Protection for VMware and Data Protection for Hyper-V can be affected by ulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.1.0

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.1.0 Vulnerability Details CVEID:CVE-2025-41248 DESCRIPTION: The Spring Security annotation detection mechanism may not correctly resolve annotatio...

Security Bulletin: Multiple Vulnerabilities affect IBM Watson Studio in Cloud Pak for Data.

Summary Multiple vulnerabilities have been addressed in IBM Watson Studio in Cloud Pak for Data version 5.2.2 Vulnerability Details CVEID:CVE-2024-3568 DESCRIPTION: The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms.

Summary Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms. IBM WebSphere Liberty has been updated within TXSeries for Multiplatforms to address these vulnerabilities Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Standard.

Summary Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Standard. IBM WebSphere Liberty has been updated within IBM CICS TX Standard to address these vulnerabilities. Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced.

Summary Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced. IBM WebSphere Liberty has been updated within IBM CICS TX Advanced to address these vulnerabilities. Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before...

Security Bulletin: IBM Storage Protect Operations Center is vulnerable to improper access control and stack overflow due to IBM SDK, Java (CVE-2025-21587, CVE-2025-30698, CVE-2025-4447)

Summary IBM SDK, Java is vulnerable to improper access control and stack overflow, IBM Storage Protect Operations Center uses IBM SDK, Java and may be affected by this vulnerability. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the...

Security Bulletin: IBM Storage Protect Server is vulnerable to improper access control and stack overflow due to IBM SDK, Java (CVE-2025-21587, CVE-2025-30698, CVE-2025-4447)

Summary IBM SDK, Java is vulnerable to improper access control and stack overflow, IBM Storage Protect Server uses IBM SDK, Java and may be affected by this vulnerability. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses torch - 2.2.0+cpu which is vulnerable to CVE-2025-32434.

Summary IBM Maximo Application Suite - Monitor Component uses torch - 2.2.0+cpu which is vulnerable to CVE-2025-32434. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-32434 DESCRIPTION: PyTorch is a Python package that provides tensor...

Security Bulletin: Apache Tomcat Improper Resource Shutdown Enables Made You Reset Attack, affects watsonx.data

Summary Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be...

Security Bulletin: Moby Multiple Concurrency and NULL Pointer Dereference Vulnerabilities Leading to DoS and Data Corruption, affects watsonx.data

Summary Multiple vulnerabilities affect Moby across versions 25.x–26.0.2, including a NULL pointer dereference in daemon/images/imagehistory.go v25.0.0–v26.0.2 that can crash the daemon, a race condition in builder/builder-next/adapters/snapshot/layer.go v25.0.5 that allows concurrent builds to...

Security Bulletin: Oracle Java SE and GraalVM 2D Component Remote Code Execution Vulnerability, affects watsonx.data

Summary Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale if the HDFS layer is enabled are now addressed in 5.2.3.5 (CVE-2025-58056, CVE-2025-58057)

Summary The following vulnerabilities, which may affect IBM Storage Scale when the HDFS layer is enabled and could lead to weaker-than-expected security, have been remediated in Storage Scale version 5.2.3.5 or later: CVE-2025-58056, CVE-2025-58057 Vulnerability Details CVEID:CVE-2025-58056...

Security Bulletin: Vulnerabilities in gnutls affect IBM SAN Volume Controller, IBM Spectrum Virtualize and IBM FlashSystem products

Summary Vulnerabilities in gnutls affect IBM Storage Virtualize products and could cause denial of service, confidentiality and integrity impacts. CVE-2025-32988 CVE-2025-32989. Vulnerability Details CVEID:CVE-2025-32988 DESCRIPTION: A flaw was found in GnuTLS. A double-free vulnerability exists ...

Security Bulletin: Multiple vulnerabilities in IBM Controller

Summary Multiple vulnerabilities were addressed in IBM Controller 11.1.2. Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor...

Security Bulletin: Multiple vulnerabilities in IBM Controller

Summary Multiple vulnerabilities were addressed in IBM Controller 11.1.2. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could...

Security Bulletin: IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997.

Summary IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-32996 DESCRIPTION: In http-proxy-middleware before 2.0.8 and 3.x before...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses transformers-4.51.3-py3-none-any.whl which is vulnerable to CVE-2025-6051.

Summary IBM Maximo Application Suite - Monitor Component uses transformers-4.51.3-py3-none-any.whl which is vulnerable to CVE-2025-6051. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-6051 DESCRIPTION: A Regular Expression Denial of Service...

Security Bulletin: IBM DataPower Gateway vulnerable to a denial of service due to C-Ares

Summary C-Ares is used in IBM DataPower Gateway's DNS resolver Vulnerability Details CVEID:CVE-2025-31498 DESCRIPTION: c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in readanswers when processanswer may re-enqueue a query either due to a DNS...

Security Bulletin: IBM QRadar SIEM is affected by an information disclosure vulnerability

Summary IBM QRadar SIEM is affected by an information disclosure vulnerability involving exposure of directory information. IBM has addressed this vulnerability in the latest update. Vulnerability Details CVEID:CVE-2024-56464 DESCRIPTION: IBM QRadar SIEM could allow a privileged user to enumerate...