Security Bulletin: On Windows, any local user can connect to the Informix Server as another user without requiring a password.

Summary Using DB-Access, any local user can connect as another user without needing a password. However, only the designated login user should be allowed to connect without a password. Vulnerability Details CVEID:CVE-2024-45675 DESCRIPTION: IBM Informix Dynamic Server could allow a local user on...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to Uncontrolled Recursion due to Apache Commons Lang ( CVE-2025-48924 )

Summary IBM App Connect Enterprise runtime and IBM Integration Bus for z/OS are vulnerable to Uncontrolled Recursion due to Apache Commons Lang. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons...

Security Bulletin: Vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products

Summary A vulnerability in IBM® Runtime Environment Java™ Technology Edition affect the product's management GUI and could cause a confidentiality impact. The Command Line Interface is unaffected. CVE-2025-30754. Vulnerability Details CVEID:CVE-2025-30754 DESCRIPTION: Vulnerability in the Oracle...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to IBM Semeru Runtime (CVE-2025-53057 & CVE-2025-53066))

Summary IBM App Connect Enterprise is vulnerable to Improper Access Control and Exposure of Sensitive Information to an Unauthorized Actor due to IBM Semeru Runtime. Vulnerability Details CVEID:CVE-2025-53057 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause high confidentiali...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to different node modules (CVE-2025-57350,CVE-2025-56200 & CVE-2025-64118)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to multiple vulnerabilities due to csvtojson, node-tar packages and validator modules CVE-2025-57350,CVE-2025-56200 &...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2025-57353 DESCRIPTION: The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient...

Security Bulletin: IBM App Connect Enterprise Certified Container operator and DesignerAuthoring operands are vulnerable to loss of integrity [CVE-2025-47907]

Summary IBM App Connect Enterprise Certified Container operator and DesignerAuthoring operands are vulnerable to loss of integrity due to a vulnerability in the Golang module database/sql. This bulletin provides patch information to address the reported vulnerability in database/sql. CVE-2025-479...

Security Bulletin: IBM Maximo Application Suite - Manage component uses softwares IBM WebSphere Liberty Server 25.0.0.2 and IBM DB2 version 11.5.9 which is vulnerable to CVE-2025-25193, CVE-2024-52894

Summary IBM Maximo Application Suite - Manage component uses softwares IBM WebSphere Liberty Server 25.0.0.2 and IBM DB2 version 11.5.9 which is vulnerable to CVE-2025-25193, CVE-2024-52894. This security bulletine contains details of affected and remediated versions of the same. Vulnerability...

Security Bulletin: Vulnerabilities in multiple components affect IBM SAN Volume Controller, IBM Spectrum Virtualize and IBM FlashSystem products

Summary Vulnerabilities in libssh, iputils, glib2, libtasn1 and gnutls components affect IBM Storage Virtualize products and could cause denial of service and confidentiality impacts. CVE-2025-47268 CVE-2025-4373 CVE-2024-12133 CVE-2025-48964 CVE-2024-12243. Vulnerability Details...

Security Bulletin: There is a vulnerability in starlette-0.40.0-py3-none-any.whl used by IBM Maximo Visual Inspection application in IBM Maximo Application Suite ( CVE-2025-54121)

Summary There is a vulnerability in starlette-0.40.0-py3-none-any.whl used by IBM Maximo Visual Inspection application in IBM Maximo Application Suite CVE-2025-54121. This Bulletine contains the information regarding affected and remediation versions of the same. Vulnerability Details...

Security Bulletin: Vulnerability in IBM DevOps Solution Workbench

Summary The following vulnerability was addressed in IBM DevOps Solution Workbench version 5.1. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent...

Security Bulletin: IBM Operational Decision Manager for Oct 2025 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-22233...

Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition shipped with IBM Tivoli Monitoring.

Summary Multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring ITM components. CVE-2025-53066 and CVE-2025-53057 Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP...

Security Bulletin: Terraform state versions can be created by users with specific permissions without sufficient write access

Summary Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or is auto-applied. This...

Security Bulletin: Multiple Vulnerabilities have been identified in IBM® Db2® shipped with IBM WebSphere Remote Server

Summary IBM® Db2® is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM® Db2® have been published in a security bulletin Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: IBM Informix updated to use the latest version of Netty to handle the Netty vulnerability.

Summary Netty version updated to 4.1.118.Final in Informix 12.10.xC16W2 and 4.1.121.Final in Informix 14.10.XC12. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance...

Security Bulletin: Multiple Security Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2023-32731 CVE-2023-32732)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerabilities Vulnerability Details CVEID:CVE-2023-32731 DESCRIPTION: When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Information Disclosure (CVE-2025-36134)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the information disclosure vulnerability. Please apply the following upgrades to remediate the vulnerability. Vulnerability Details CVEID:CVE-2025-36134 DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Information Disclosure (CVE-2025-48795)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the information disclosure vulnerability. Please apply the remediated versions described below. Vulnerability Details CVEID:CVE-2025-48795 DESCRIPTION: Apache CXF stores large stream based messages as temporary files...

Security Bulletin: Document Service Container of IBM Sterling B2B Integrator and IBM Sterling File Gateway is Vulnerable to Information Disclosure (CVE-2025-22227)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the information disclosure vulnerability. Please upgrade or patch your installation of these products accordingly. Vulnerability Details CVEID:CVE-2025-22227 DESCRIPTION: In some specific scenarios with chained...

Security Bulletin: Multiple Vulnerabilities in IBM Decision Optimization for Cloud Pak for Data (CVE-2025-57350, CVE-2025-53057 and CVE-2025-53066)

Summary Multiple Vulnerabilities were addressed in IBM Decision Optimization for Cloud Pak for Data version 5.3.0 Vulnerability Details CVEID:CVE-2025-57350 DESCRIPTION: The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype...

Security Bulletin: Multiple Vulnerabilities in IBM Decision Optimization for Cloud Pak for Data (CVE-2025-6493, CVE-2025-55163 and CVE-2025-58754)

Summary Multiple Vulnerabilities were addressed in IBM Decision Optimization for Cloud Pak for Data version 5.2.2. Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty i...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Information Disclosure (CVE-2025-36112)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the information disclosure vulnerability. Please apply the fixes available from IBM. Vulnerability Details CVEID:CVE-2025-36112 DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway could reveal...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Improper Neutralization (CVE-2025-5878)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the improper neutralization vulnerability Vulnerability Details CVEID:CVE-2025-5878 DESCRIPTION: A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Denial of Service (CVE-2025-48976)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the denial of service vulnerability Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Improper Access Control (CVE-2025-48734)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the improper access control vulnerability Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2...

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial-of-service due to use of Apache Commons File Upload within IBM WebSphere Application Server Liberty

Summary This security bulletin addresses the vulnerabilitiy in IBM Tivoli Application Dependency Discovery Manager due to Apache Commons File Upload used in IBM WebSphere Application Server Liberty that is vulnerable to a denial of service CVE-2025-48976 Vulnerability Details CVEID:CVE-2025-48976...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM DevOps Code ClearCase (CVE-2025-36099, CVE-2025-7962)

Summary IBM WebSphere Application Server WAS is shipped as a component of IBM DevOps Code ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale if the HDFS layer is enabled are now addressed in 5.2.3.4 (CVE-2025-55163, CVE-2021-4264, CVE-2025-53864, CVE-2025-48924, CVE-2024-6484, CVE-2024-13009)

Summary The following vulnerabilities, which may affect IBM Storage Scale when the HDFS layer is enabled and could lead to weaker-than-expected security, have been addressed in Storage Scale version 5.2.3.4 or later: CVE-2025-55163, CVE-2021-4264, CVE-2025-53864, CVE-2025-48924, CVE-2024-6484, an...

Security Bulletin: Multiple Vulnerabilities in Netcool Operations Insights.

Summary Multiple vulnerabilities were addressed in Netcool Operations Insight version 1.6.15. Vulnerability Details CVEID:CVE-2025-27533 DESCRIPTION: Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers w...

Security Bulletin: Astronomer with IBM is vulnerable to event thread locking due to the starlette package (CVE-2025-54121)

Summary Starlette is used by Astronomer with IBM as part of the request processing functionality. Vulnerability Details CVEID:CVE-2025-54121 DESCRIPTION: Starlette is a lightweight ASGI Asynchronous Server Gateway Interface framework/toolkit, designed for building async web services in Python. In...

Security Bulletin: Astronomer with IBM is vulnerable to local code execution due to the Helm package manager (CVE-2025-53547)

Summary Helm is used by Astronomer with IBM as part of service installation and management. Vulnerability Details CVEID:CVE-2025-53547 DESCRIPTION: Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock fi...

Security Bulletin: Astronomer with IBM is vulnerable to uncontrolled recursion due to the Apache Commons Lang package ( CVE-2025-48924)

Summary Apache Commons Lang is used by Astronomer with IBM as part of overall processing. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6...

Security Bulletin: Astronomer with IBM is vulnerable to denial of service due to the resolv package (CVE-2025-24294)

Summary Resolv is used by Astronomer with IBM as part of the DNS functionality. Vulnerability Details CVEID:CVE-2025-24294 DESCRIPTION: The attack vector is a potential Denial of Service DoS. The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a...

Security Bulletin: Astronomer with IBM is vulnerable to authorization bypass due to the Kubernetes NodeRestriction functionality (CVE-2025-4563)

Summary Kubernetes is used by Astronomer with IBM as part of overall processing and deployment. Vulnerability Details CVEID:CVE-2025-4563 DESCRIPTION: A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When t...

Security Bulletin: Astronomer with IBM is vulnerable to uncontrolled redirects due to the urllib3 package (CVE-2025-50181, CVE-2025-50182)

Summary urllib3 is used by Astronomer with IBM as part of the HTTP processing functionality. Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a...

Security Bulletin: Astronomer with IBM is vulnerable to leaked credentials due to the requests package (CVE-2024-47081).

Summary Requests is used by Astronomer with IBM as part of the HTTP processing functionality. Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific...

Security Bulletin: Astronomer with IBM is vulnerable to unrestricted filesystem writes due to the tar-fs package (CVE-2025-48387)

Summary Tar-fs is used by Astronomer with IBM as part of tar file processing. Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir...

Security Bulletin: Astronomer with IBM is vulnerable to invalid signature verification due to the OpenPGP.js package (CVE-2025-47934)

Summary OpenPGP.js is used by Astronomer with IBM as part of OpenPGP processing functionality. Vulnerability Details CVEID:CVE-2025-47934 DESCRIPTION: OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality [CVE-2025-1993]

Summary IBM App Connect Enterprise Certified Container DesignerAuthoring instances store their flows in a database that is protected by weaker than expected cryptographic algorithms that could be decrypted by a local user. This bulletin provides patch information to address the vulnerability in I...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2025-9670)

Summary IBM Security SOAR uses an older version of the turndown javascript module that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.8.0 Vulnerability Details CVEID:CVE-2025-9670 DESCRIPTION...

Security Bulletin: Due to the use of Swagger UI, IBM Security SOAR is vulnerable to spoofing attacks..

Summary IBM Security SOAR uses Swagger-UI internally. CVE-2025-25031 Vulnerability Details CVEID:CVE-2018-25031 DESCRIPTION: Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this...

Security Bulletin: Vulnerabilities in Apache Tomcat Server (CVE-2025-52434, CVE-2025-48989, CVE-2025-52520, CVE-2025-53506, CVE-2025-55668, CVE-2025-49125, CVE-2025-48988, CVE-2025-46701, CVE-2025-31651, CVE-2025-31650) affect Power HMC.

Summary The Apache Tomcat Server is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-52434 DESCRIPTION: Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomca...

Security Bulletin: Vulnerabilities in httpd library (CVE-2024-47252, CVE-2025-23048, CVE-2025-49630) affect Power HMC.

Summary The httpd library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-47252 DESCRIPTION: Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS...

Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.1.0 Vulnerability Details CVEID:CVE-2025-6493 DESCRIPTION: A weakness has been identified in CodeMirror up to 5.65.20. Affected is an unknown function of the file mode/markdown/markdown.js of the component Markdown...

Security Bulletin: Security vulnerability in form-data may affect IBM Business Automation Workflow - CVE-2025-7783

Summary IBM Business Automation Workflow references a vulnerable copy of the form-data open source library. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated...

Security Bulletin: Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool/OMNIbus WebGUI due to the October 2025 CPU

Summary Websphere Application Server WAS is shipped as a component of IBM Tivoli Netcool/OMNIbus WebGUI. Information about security vulnerabilities affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes sectio...

Security Bulletin: Due to the use of IBM WebSphere Application Server Liberty, CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms are vulnerable to multiple vulnerabilities.

Summary Due to the use of IBM WebSphere Application Server Liberty, CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms are vulnerable to a multiple vulnerabilities CVE-2025-48976, CVE-2025-36047 and CVE-2024-56339. IBM WebSphere Application Server Liberty has...

Security Bulletin: Due to use of the sha.js library, IBM watsonx Code Assistant IDE Extensions is affected by Improper Input Validation vulnerability

Summary Sha.js is used internally by IBM watsonx Code Assistant IDE Extensions CVE-2025-9288 Vulnerability Details CVEID:CVE-2025-9288 DESCRIPTION: Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11. CWE:CWE-20: Improper Inpu...