Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for May 2026

Summary Multiple vulnerabilities were addressed in IBM Process Mining 2.1.1 IF002 Vulnerability Details CVEID:CVE-2026-7246 DESCRIPTION: Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit function, allowing attackers to pass arbitrary OS commands...

Security Bulletin: Qiskit SDK is vulnerable to specific functions may recurse too deeply and overflow the available stack space, when encountering certain classical expressions.

Summary The functions qiskit.qasm2.load and qiskit.qasm2.loads may recurse too deeply and overflow the available stack space, when encountering certain classical expressions. Vulnerability Details CVEID:CVE-2026-4870 DESCRIPTION: IBM Qiskit SDK could allow an attacker to trigger a segmentation...

Security Bulletin: Security Vulnerability in Spring Cloud Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2025-41235)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Spring Cloud Vulnerability Details CVEID:CVE-2025-41235 DESCRIPTION: Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. CWE:CWE-444:...

Security Bulletin: Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API

Summary IBM Langflow Desktop contains a critical vulnerability in its v2 API file handling mechanism where the POST /api/v2/files/ endpoint improperly processes multipart upload filenames without sanitization, allowing path traversal and arbitrary file write outside intended directories; this fla...

Security Bulletin: upload filename directly from the multipart Content-Disposition header without sanitization

Summary Langflow OSS 1.2.0 - 1.8.4 are affected by a critical arbitrary file write vulnerability in the files endpoint due to improper handling of uploaded filenames. The application extracts the filename directly from the multipart Content-Disposition header without sanitization and uses unsafe...

Security Bulletin: Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint

Summary IBM Langflow Desktop contains a vulnerability in its image retrieval functionality where the GET /api/v1/files/images/flowid/filename endpoint fails to enforce authentication and ownership validation, allowing any unauthenticated user to access image files by supplying a valid flow...

Security Bulletin: Langflow OSS Unauthenticated IDOR on Image Downloads

Summary Langflow OSS versions 1.0.0 - 1.8.4 are affected by an insecure direct object reference vulnerability in the image download endpoint due to missing authentication and authorization checks. The images endpoint serves image files without verifying user identity or ownership. An user who get...

Security Bulletin: Security Vulnerability in Nimbus Jose JWT Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2025-53864)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Nimbus Jose JWT Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a...

Security Bulletin: Security Vulnerability in Spring Security Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2025-41248)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Spring Security Vulnerability Details CVEID:CVE-2025-41248 DESCRIPTION: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type...

Security Bulletin: Security Vulnerability in Spring Boot Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2025-22235)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Spring Boot Vulnerability Details CVEID:CVE-2025-22235 DESCRIPTION: EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been create...

Security Bulletin: Multiple Security Vulnerabilities in Spring Framework Affect IBM Sterling B2B Integrator and IBM Sterling File Gateway

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerabilities in Spring Framework Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patter...

Security Bulletin: IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed

Summary Vulnerabilities have been identified in HTML / XSS Injection, which is used in IBM Engineering Lifecycle Management -Engineering Workflow Management Vulnerability Details CVEID:CVE-2025-33128 DESCRIPTION: IBM Engineering Workflow Management is vulnerable to cross-site scripting. This...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.11.0 Vulnerability Details CVEID:CVE-2026-27139 DESCRIPTION: On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference ...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.11.0 Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.11.0 Vulnerability Details CVEID:CVE-2026-42577 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fail...

Security Bulletin: Multiple vulnerabbilities exist in the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Manager IP Edition core components

Summary Multiple vulnerabilities exist in IBM® SDK Java™ Technology Edition, Version 17.0.18.0, which is used by IBM Tivoli Network Manager IP Edition v4.2 Vulnerability Details CVEID:CVE-2026-22016 DESCRIPTION: Easily exploitable vulnerability allows unauthenticated attacker with network access...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.x) Platform - Multiple Vulnerabilities in IBM Java

Summary IBM Cloud Pak for Data System CPDS 1.x Platform uses IBM Java versions that are affected by multiple critical vulnerabilities disclosed in the Oracle January 2026 CPU advisory. The vulnerabilities impact IBM Java 7.1 prior to 7.1.5.29 and 8.0 prior to 8.0.8.60. These vulnerabilities affec...

Security Bulletin: The IBM Common Licensing product using WebSphere Application Server Liberty is affected by a remote code execution vulnerability (CVE-2025-14914)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a cross-site scripting vulnerability with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature enabled, due to improper validation of user-supplied input. An attacker could...

Security Bulletin: IBM Event Streams is affected by multiple vulnerabilities in Java SE (CVE-2026-21945, CVE-2026-21932, CVE-2026-21933).

Summary IBM Event Streams is affected by multiple vulnerabilities in Java SE. These vulnerabilities could allow a remote attacker to cause a denial of service condition, bypass security restrictions, or perform unauthorized operations on data processed by affected Java components. Vulnerability...

Security Bulletin: IBM Event Processing is affected by Multiple vulnerabilities

Summary IBM Event Processing is affected by Multiple vulnerabilities and were addressed in IBM Event Processing version 1.5.3 Vulnerability Details CVEID:CVE-2026-27148 DESCRIPTION: Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions...

Security Bulletin: IBM TRIRIGA Cross-Site Scripting Vulnerability

Summary IBM TRIRIGA is affected by a Cross-Site Scripting XSS vulnerability that could allow a remote authenticated user to inject malicious script into a web page viewed by other users. Successful exploitation could result in execution of arbitrary script within the victim's browser session. IBM...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana OnPrem build 1.0.319 Vulnerability Details CVEID:CVE-2018-20225 DESCRIPTION: An issue was discovered in pip all versions because it installs the version with the highest version number, even if the user had intended...

Security Bulletin: Multiple vulnerabilities have been addressed in IBM Aspera Shares

Summary Multiple vulnerabilities have been addressed in IBM Aspera Shares Version 1.11.3 Vulnerability Details CVEID:CVE-2026-42245 DESCRIPTION: Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4,...

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access Digital Credentials

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2026-45740 DESCRIPTION: protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth...

Security Bulletin: Multiple security vulnerabilities may affect IBM Java that is shipped with TXSeries for Multiplatforms

Summary Multiple security vulnerabilities may affect IBM Java that is shipped with TXSeries for Multiplatforms CVE-2026-22016, CVE-2026-22021, CVE-2026-22013, CVE-2026-22018, CVE-2026-34268, CVE-2026-22007. An update to TXSeries for Multiplatforms has been released to address these vulnerabilitie...

Security Bulletin: Multiple security vulnerabilities may affect IBM Java that is shipped with IBM CICS TX Advanced

Summary Multiple security vulnerabilities may affect IBM Java that is shipped with IBM CICS TX Advanced CVE-2026-22016, CVE-2026-22021, CVE-2026-22013, CVE-2026-22018, CVE-2026-34268, CVE-2026-22007. An update to IBM CICS TX Advanced has been released to address these vulnerabilities. Vulnerabili...

Security Bulletin: An Improper Privilege Management vulnerability may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms (CVE-2026-3621).

Summary An Improper Privilege Management vulnerability may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms CVE-2026-3621. IBM WebSphere Liberty has been updated within TXSeries for Multiplatforms to address this vulnerability. Vulnerability Details CVEID:CVE-2026-362...

Security Bulletin: An Improper Privilege Management vulnerability may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced (CVE-2026-3621).

Summary An Improper Privilege Management vulnerability may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced CVE-2026-3621. IBM WebSphere Liberty has been updated within IBM CICS TX Advanced to address this vulnerability. Vulnerability Details CVEID:CVE-2026-3621 DESCRIPTION:...

Security Bulletin: The Apache Log4J 2 package that is shipped with IBM ApplinX is vulnerable to multiple vulnerabilities (CVE-2026-34480, CVE-2026-34477, CVE-2026-34478, CVE-2026-34479).

Summary The Apache Log4J 2 package that is shipped with IBM ApplinX is vulnerable to an Improper Encoding or Escaping of Output vulnerability, an Improper Validation of Certificate with Host Mismatch vulnerability and an Improper Output Neutralization for Logs vulnerability CVE-2026-34480,...

Security Bulletin: The Apache Commons Lang library that is shipped with IBM ApplinX is vulnerable to an Uncontrolled Recursion vulnerability (CVE-2025-48924).

Summary The Apache Commons Lang library that is shipped with IBM ApplinX is vulnerable to an Uncontrolled Recursion vulnerability CVE-2025-48924. The version of the Apache Commons Lang library that is shipped with IBM ApplinX has been updated in order to address the vulnerability. Vulnerability...

Security Bulletin: IBM App Connect for Manufacturing is vulnerable to CRLF Injection due to Netty ( CVE-2026-41417 )

Summary IBM App Connect for Manufacturing is vulnerable to CRLF Injection due to Netty. Vulnerability Details CVEID:CVE-2026-41417 DESCRIPTION: Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in Eclipse Jetty

Summary SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in Eclipse Jetty. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-11143 DESCRIPTION: The Jetty URI parser has some key differences to other common parsers when...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Incorrect Authorization and Middleware Bypass due to Node.js module @hono/node-server ( CVE-2026-29087 & CVE-2026-39406 )

Summary IBM App Connect Enterprise runtime is vulnerable to Incorrect Authorization and Middleware Bypass due to Node.js module @hono/node-server. Vulnerability Details CVEID:CVE-2026-29087 DESCRIPTION: @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, wh...

Security Bulletin: IBM Maximo Scheduler Optimizer uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033

Summary IBM Maximo Scheduler Optimizer uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-42033 DESCRIPTION: Axios is a promise based HTTP client for the browser and...

Security Bulletin: Security Vulnerabilities were found in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory (CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925)

Summary Security Vulnerabilities were addressed in IBM Semeru Runtime Certified Edition provided with IBM Verify Directory Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remot...

Security Bulletin: Vulnarability in commons-beanutils library (CVE-2019-10086) affects Power HMC.

Summary The commons-beanutils library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2019-10086 DESCRIPTION: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability...

Security Bulletin: Vulnarability in openssl library (CVE-2025-69419) affects Power HMC.

Summary The openssl library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-69419 DESCRIPTION: Issue summary: Calling PKCS12getfriendlyname function on a maliciously crafted PKCS12 file with a BMPString UTF-16BE friendly...

Security Bulletin: Vulnarability in kernel library (CVE-2025-71085) affects Power HMC.

Summary The kernel library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-71085 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG in pskbexpandhead as part of calipsoskbuffsetatt...

Security Bulletin: Vulnarability in grub2 library (CVE-2025-61662) affects Power HMC.

Summary The grub2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-61662 DESCRIPTION: A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the...

Security Bulletin: Vulnarability in jackson-core library (WS-2026-0003) affects Power HMC.

Summary The jackson-core library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details ID:WS-2026-0003 DESCRIPTION: The non-blocking async JSON parser in jackson-core bypasses the maxNumberLength constraint default: 1000 characters defined i...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by improper resource management due to Eclipse Jetty

Summary Eclipse Jetty in Apache Solr is used by IBM Operations Analytics - Log Analysis as part of HTTP/HTTPS client requests for Apache Solr Admin UI. CVE-2025-5115. Vulnerability Details CVEID:CVE-2025-5115 DESCRIPTION: In Eclipse Jetty, versions =9.4.57, =10.0.25, =11.0.25, =12.0.21,...

Security Bulletin: Multiple Vulnerabilities in IBM Guardium Key Lifecycle Manager (CVE-2025-68161, CVE-2026-1726)

Summary Security Vulnerabilities have been addressed in IBM Guardium Key Lifecycle Manager Vulnerability Details CVEID:CVE-2026-1726 DESCRIPTION: IBM Security Guardium enables privilege escalation, allowing unauthorized users to perform administrative operations after being demoted. Attackers cou...

Security Bulletin: IBM Maximo Scheduler Optimizer uses axios-1.13.5.tgz which is vulnerable to CVE-2025-62718

Summary IBM Maximo Scheduler Optimizer uses axios-1.13.5.tgz which is vulnerable to CVE-2025-62718. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and...

Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition

Summary Multiple vulnerabilities were addressed in IBM Tivoli Network Manager IP Edition 4.2.0.24 IFix 1 Vulnerability Details CVEID:CVE-2025-11143 DESCRIPTION: The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of...

Security Bulletin: Security Vulnerabilities were found in IBM Security Verify Directory (CVE-2018-2799, CVE-2022-23437)

Summary Security Vulnerabilities were addressed in IBM Security Verify Directory Vulnerability Details CVEID:CVE-2018-2799 DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: JAXP. Supported versions that are affected are Java SE: 7u171,...

Security Bulletin: IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities in Eclipse Paho Java client library

Summary A vulnerability has been identified in Eclipse Paho Java client library, which is used in IBM Engineering Lifecycle Management - Engineering Workflow Management . Vulnerability Details CVEID:CVE-2019-11777 DESCRIPTION: In the Eclipse Paho Java client library version 1.2.0, when connecting...

Security Bulletin: Due to the use of Netty, IBM Enterprise Build of Quarkus is affected by multiple vulnerabilities

Summary IBM Enterprise Build of Quarkus is affected by vulnerabilities in Netty Vulnerability Details CVEID:CVE-2026-42580 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int,...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM SPSS Modeler is affected by vulnerabilities in Apache POI and Apache Commons Lang

Summary IBM SPSS Modeler is affected by vulnerabilities in Apache POI and Apache Commons Lang. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-31672 DESCRIPTION: Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing affected by a race condition in Eclipse Jersey (CVE-2025-12383)

Summary A critical race condition CVE-2025-12383 has been identified in the Eclipse Jersey client library jersey-client-2.26.jar used by IBM Engineering Lifecycle Optimization - Engineering Publishing. Under high-concurrency conditions, a flaw in the HTTPS client's lazy initialization flow can...