Security Bulletin: Vulnerable Version of Software in Use

Summary Vulnerable version of glibc included in prior versions of product. Vulnerability Details CVEID:CVE-2026-4046 DESCRIPTION: The iconv function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character...

Security Bulletin: Vulnerable Version of Software in Use

Summary Vulnerable version of glibc in prior versions of product. Vulnerability Details CVEID:CVE-2026-4046 DESCRIPTION: The iconv function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which...

Security Bulletin: Vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2026-10845, CVE-2026-8646, CVE-2026-9320, CVE-2026-9071 and CVE-2026-9006)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about multiple vulnerabilities affecting WebSphere Application Server have been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in...

Security Bulletin: Vulnerabilities have been identified in WebSphere Application Server Web Server Plug-ins shipped with WebSphere Service Registry and Repository (CVE-2026-10852, CVE-2026-8858 and CVE-2026-9072)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository, and this contains the optional and separately installable Web Server Plug-ins component. Information about multiple remote code execution and denial of service vulnerabilities affecting...

Security Bulletin: Vulnerability in edk2 affects IBM Netezza Appliance

Summary The edk2 package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-9230 Vulnerability Details CVEID:CVE-2025-9230 DESCRIPTION: Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigge...

Security Bulletin:IBM Watson Discovery Cartridge affected by vulnerabilities in pypdf-6.11.0-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in pypdf-6.11.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-48155 DESCRIPTION: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in tomcat-embed-core-11.0.20.jar

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in tomcat-embed-core-11.0.20.jar Vulnerability Details CVEID:CVE-2026-41293 DESCRIPTION: Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in pyjwt-2.12.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in pyjwt-2.12.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-48522 DESCRIPTION: PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen...

Security Bulletin: IBM Security QRadar Log Management AQL Plugin is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. IBM Security QRadar Log Management AQL Plugin has addressed the applicable CVEs in an update. Vulnerability Details CVEID:CVE-2026-41907 DESCRIPTION: uuid is f...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tomcat-embed-core-11.0.18.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in tomcat-embed-core-11.0.18.jar Vulnerability Details CVEID:CVE-2026-29146 DESCRIPTION: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in pygments-2.19.2-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in pygments-2.19.2-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-34483 DESCRIPTION: Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in tomcat-embed-core-11.0.20.jar

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in tomcat-embed-core-11.0.20.jar Vulnerability Details CVEID:CVE-2026-41284 DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in postgresql-42.6.1.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in postgresql-42.6.1.jar Vulnerability Details CVEID:CVE-2026-42198 DESCRIPTION: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service...

Security Bulletin: IBM WebSphere Application Server is affected by an identity spoofing vulnerability (CVE-2026-8644)

Summary IBM WebSphere Application Server is affected by an identity spoofing vulnerability. Vulnerability Details CVEID:CVE-2026-8644 DESCRIPTION: IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing. CWE:CWE-290: Authentication Bypass by Spoofing CVSS Source: IBM CVSS...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-2026-27727)

Summary There are vulnerabilities in mchange-commons-java-0.2.15.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-27727. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-27727 DESCRIPTION: mchange-commons-java, a library that provides Java utilities,...

Security Bulletin: Vulnerability in Eclipes OMR affectecting Host On-Demand

Summary There are vulnerabilities in Eclipse OMR used by Host On-Demand. Host On-Demand has provided fixes for the applicable CVEs. Vulnerability Details CVEID:CVE-2026-1188 DESCRIPTION: In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of...

Security Bulletin: Multiple Vulnerabilities in NLTK bundled with IBM Fusion, IBM Fusion HCI, and IBM Fusion Content-Aware Storage

Summary IBM Fusion, IBM Fusion HCI, and IBM Fusion Content-Aware Storage include the Natural Language Toolkit NLTK library, which is susceptible to several critical security vulnerabilities. These flaws could allow a remote attacker to execute arbitrary code, perform arbitrary file reads via path...

Security Bulletin: Vulnerability in Python-Multipart bundled with IBM Fusion, IBM Fusion HCI and IBM Fusion Content-Aware Storage

Summary IBM Fusion Content-Aware Storage includes the python-multipart library, which is susceptible to a Path Traversal vulnerability. This flaw exists when specific non-default configuration options, such as UPLOADKEEPFILENAME=True, are utilized. A remote attacker could exploit this vulnerabili...

Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager IP Edition

Summary IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed ...

Security Bulletin: Vulnerability in gRPC-Go bundled with IBM Fusion, IBM Fusion HCI, and IBM Fusion Content-Aware Storage

Summary IBM Fusion, IBM Fusion HCI, and IBM Fusion Content-Aware Storage include the gRPC-Go library, which is vulnerable to an authorization bypass. This issue is caused by improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server incorrectly accepted requests where the...

Security Bulletin: IBM webMethods BPM is vulnerable to Deserialization of Untrusted Data

Summary IBM My webMethods Server includes mina-core as part of its OSGi platform, which is affected by known vulnerabilities CVE-2026-42778 and CVE-2026-42779. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-42778 DESCRIPTION: The fix...

Security Bulletin: IBM Engineering Lifecycle Management on Hybrid Cloud multiple vulnerabilities addressed

Summary This release addresses security vulnerabilities in application and operator images of ELM on Hybrid cloud offering. Identified vulnerabilities identified below relate to the underlying OS packages and language dependencies which impacts the product within the deployed environment. Two of...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities in the cryptography package

Summary IBM Cloud Pak for Data System CPDS 1.0 uses the Python cryptography package, which is affected by multiple security vulnerabilities. CVE-2026-34073 involves improper certificate validation where DNS name constraints are only validated against SANs within child certificates and not the "pe...

Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities in Vim

Summary IBM Cloud Pak for Data System 1.0 includes Vim, which is affected by multiple security vulnerabilities. These vulnerabilities include command injection CVE-2026-28417, multiple heap-based buffer overflows CVE-2026-28418, CVE-2026-28420, CVE-2026-28421, heap-based buffer underflow...

Security Bulletin: IBM Sterling Connect:Direct Web Services is Affected by broken or risky algorithm.

Summary bcprov-jdk18on-1.81.jar is used by IBM Sterling Connect:Direct Web Services CVE-2025-14813, CVE-2026-5598. Vulnerability Details CVEID:CVE-2025-14813 DESCRIPTION: : Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all cor...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to man-in-the-middle attack due to log4j-core (CVE-2025-68161)

Summary IBM B2B Advanced Communications has addressed vulnerabilities in log4j-core shipped with product Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer...

Security Bulletin: IBM Operational Decision Manager - Multiple CVEs addressed related to SOLR and its dependencies (such as Jetty) affecting ODM-9.0.0 and older versions

Summary This Security bulletin addresses vulnerabilities in Apache Solr and its dependencies including Eclipse Jetty that might affect IBM Operational Decision Manager version 9.0.0 and older versions. Vulnerability Details CVEID:CVE-2026-44825 DESCRIPTION: Hardcoded credentials in the Basic...

Security Bulletin: Multiple security vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address the vulnerabilites. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities in IBM Aspera HTTP Gateway

Summary Multiple vulnerabilities were addressed in IBM Aspera HTTP Gateway version 2.3.3 Vulnerability Details CVEID:CVE-2026-33814 DESCRIPTION: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with ...

Security Bulletin: IBM WebSphere Application Server is affected by remote code execution (CVE-2026-9311, CVE-2026-9330)

Summary IBM WebSphere Application Server is affected by remote code execution. Vulnerability Details CVEID:CVE-2026-9330 DESCRIPTION: IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On...

Security Bulletin: IBM WebSphere Application Server is affected by a remote code execution vulnerability (CVE-2026-9319)

Summary IBM WebSphere Application Server is affected by a remote code execution vulnerability when using JAX-WS endpoints with WS-Security. Vulnerability Details CVEID:CVE-2026-9319 DESCRIPTION: IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to...

Security Bulletin: DataStage on Cloud Pak for Data has several vulnerabilities due to open source software

Summary Open source packages are used as part of the overall processing in DataStage on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the...

Security Bulletin: The Apache Tomcat application server that is shipped with IBM ApplinX is vulnerable to multiple vulnerabilities.

Summary The Apache Tomcat application server that is shipped with IBM ApplinX is vulnerable to multiple vulnerabiltiies CVE-2026-29146, CVE-2026-34487, CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-32990, CVE-2026-34483, CVE-2026-34500, CVE-2026-41284, CVE-2026-41293,...

Security Bulletin: MongoDB Enterprised Advanced affected by: Uncontrolled Resource Consumption (CVE-2025-66453)

Summary There are vulnerabilities in rhino-1.7.7.2.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-66453. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-66453 DESCRIPTION: Rhino is an open-source implementation of JavaScript written entirely in Jav...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2025-66648)

Summary There are vulnerabilities in vega-functions-5.18.1.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-66648. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-66648 DESCRIPTION: vega-functions provides function implementations for the Vega...

Security Bulletin: MongoDB Enterprised Advanced affected by: Uncontrolled Resource Consumption (CVE-2026-1605)

Summary There are vulnerabilities in jetty-server-12.0.22.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-1605. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-1605 DESCRIPTION: In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Input Validation (CVE-2025-66400)

Summary There are vulnerabilities in mdast-util-to-hast-13.2.0.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-66400. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-66400 DESCRIPTION: mdast-util-to-hast is an mdast utility to transform to hast. Fro...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Input Validation (CVE-2025-11143)

Summary There are vulnerabilities in jetty-http-12.0.22.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-11143. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-11143 DESCRIPTION: The Jetty URI parser has some key differences to other common parsers...

Security Bulletin: MongoDB Enterprised Advanced affected by: Allocation of Resources Without Limits or Throttling (CVE-2026-27601)

Summary There are vulnerabilities in underscore-1.13.6.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-27601. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-27601 DESCRIPTION: Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8,...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improperly Controlled Modification of Object Prototype Attributes (CVE-2025-13465)

Summary There are vulnerabilities in lodash-4.17.21.tgz, lodash-es-4.17.21.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-13465. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2025-59840)

Summary There are vulnerabilities in vega-expression-5.1.2.tgz, vega-interpreter-1.1.0.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-59840. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-59840 DESCRIPTION: Vega is a visualization grammar, a...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Input Validation (CVE-2026-24734)

Summary There are vulnerabilities in tomcat-embed-core-10.1.50.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-24734. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-24734 DESCRIPTION: Improper Input Validation vulnerability in Apache Tomcat Native,...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Control of Generation of Code ('Code Injection') (CVE-2026-27830)

Summary There are vulnerabilities in c3p0-0.9.5.4.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-27830. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0, a JDBC Connection pooling library, is vulnerable to attack via...

Security Bulletin: MongoDB Enterprised Advanced affected by: URL Redirection to Untrusted Site ('Open Redirect') (CVE-2025-68470)

Summary There are vulnerabilities in react-router-6.3.0.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-68470. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-68470 DESCRIPTION: React Router is a router for React. In versions 6.0.0 through 6.30.1 an...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Faspex

Summary Multiple vulnerabilities were addressed in IBM Aspera Faspex 5.0.15.4 Vulnerability Details CVEID:CVE-2026-6322 DESCRIPTION: fast-uri normalize decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host th...

Security Bulletin: Db2 Query Management Facility is vulnerable to IBM Semeru Runtime Quarterly CPU - Apr 2026 - Includes OpenJDK April 2026 CPU plus CVE-2026-6918

Summary Db2 Query Management Facility is vulnerable to IBM Semeru Runtime Quarterly CPU - Apr 2026 - Includes OpenJDK April 2026 CPU plus CVE-2026-6918 Vulnerability Details CVEID:CVE-2026-34282 DESCRIPTION: Easily exploitable vulnerability allows unauthenticated attacker with network access via...

Security Bulletin: IBM SPSS Modeler is affected by vulnerabilities in Netty

Summary IBM SPSS Modeler is affected by vulnerabilities in Netty. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance...

Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway

Summary Security Vulnerabilities affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-42579 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not...

Security Bulletin: Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Apr 2026 - Includes Oracle April 2026 CPU

Summary Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Apr 2026 - Includes Oracle April 2026 CPU plus CVE-2026-22016, CVE-2026-22021, CVE-2026-22013, CVE-2026-22018, CVE-2026-34268, and CVE-2026-22007 Vulnerability Details CVEID:CVE-2026-22016...

Security Bulletin: Multiple Vulnerabilities in IBM Datacap

Summary Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 008. Vulnerability Details CVEID:CVE-2026-45205 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a...