35596 matches found
Security Bulletin: Improper Access Control and Exposure of Information Through Directory Listing vulnerabilities affect IBM Cloud Pak System[CVE-2023-38265, CVE-2023-38005]
Summary Improper Access Control and Exposure of Information Through Directory Listing vulnerabilities affect Cloud Pak System respectively. IBM Cloud Pak System could allow an authenticated user to perform unauthorized tasks due to improper access controls , and disclose folder location informati...
Security Bulletin: Multiple vulnerabilities in IBM Tivoli Monitoring affect IBM Cloud Pak System
Summary Multiple vulnerabilities in IBM Tivoli Monitoring affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-35154 DESCRIPTION: IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to...
Security Bulletin: Due to the use of Google Go, IBM Cloud Pak Sys is affected by an infinite loop when unmarshaling certain forms of invalid JSON
Summary Vulnerability in Go used by Cloud Pak System CVE-2024-24786. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION: The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which...
Security Bulletin: Due to IBM Storage Scale, IBM Cloud Pak System is affected by multiple vulnerabilities [CVE-2025-48976, CVE-2025-30204, CVE-2025-1137].
Summary Execute privileged command and denial of service vulnerabilities found in IBM Storage Scale previously known as IBM Spectrum Scale affect IBM Cloud Pak System. These vulnerabilities were addressed in IBM Cloud Pak System v2.3.6.1 and IBM Cloud Pak System v2.3.5.1 Vulnerability Details...
Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak System[CVE-2020-5256, CVE-2025-2895]
Summary Multiple Vulnerabilities were addressed in IBM Cloud Pak System. IBM Cloud Pak System is affected to Prototype Pollution due to Dojo and HTML Injection in JavaScript. Vulnerability Details CVEID:CVE-2020-5258 DESCRIPTION: In affected versions of dojo NPM package, the deepCopy method is...
Security Bulletin: Due to the use of IBM Db2, IBM Cloud Pak System is affected by multiple vulnerabilities
Summary Vulnerabilities found in IBM Db2 LUW that affect Foundation and IBM Tivoli Monitoring ITM pattern Types pTypes shipped with IBM Cloud Pak System. Vulnerabilities were addressed in IBM Cloud Pak System. IBM Cloud Pak System v2.3.6.1 has updated Foundation and ITM pTypes to Foundation versi...
Security Bulletin: Due to use of Golang Go, multiple vulnerabilities affect IBM Cloud Pak System
Summary Due to use of Golang Go multiple vulnerabilities affect IBM Cloud Pak System. IBM Cloud Pak System has addressed these vulnerabilities CVE-2025-47913, CVE-2025-47914, CVE-2025-58181 Vulnerability Details CVEID:CVE-2025-47913 DESCRIPTION: SSH clients receiving SSHAGENTSUCCESS when expectin...
Security Bulletin: Potential denial of service in X.509 name checks in OpenSSL affect Cloud Pak System [CVE-2024-6119]
Summary Potential denial of service in X.509 name checks in OpenSSL affect Cloud Pak System. Vulnerability was addressed by IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-6119 DESCRIPTION: Issue summary: Applications performing certificate name checks e.g., TLS clients checking server...
Security Bulletin: IBM Cloud Pak System is vulnerable to HTML injection[CVE-2023-38007].
Summary IBM Cloud Pak System is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. Vulnerability was addressed in IBM Cloud Pak System. Vulnerability...
Security Bulletin: Due to use of IBM Tivoli Monitoring , IBM Cloud Pak System is affected by multiple vulnerabilities.
Summary Multiple vulnerabilities were addressed in IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-38473 DESCRIPTION: Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing...
Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak System
Summary Multiple vulnerabilities were addressed in IBM Cloud Pak System version 2.3.6.1 and IBM Cloud Pak System version 2.3.5.1. Vulnerability Details CVEID:CVE-2025-0395 DESCRIPTION: When the assert function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for...
Security Bulletin: Multiple Vulnerabilities affect IBM Cloud Pak System
Summary Multiple Vulnerabilities have been addressed in IBM Cloud Pak System v2.3.5.1. Vulnerability Details CVEID:CVE-2026-29063 DESCRIPTION: Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable v...
Security Bulletin: Multiple Vulnerabilities in IBM Library Support for Spring
Summary Multiple vulnerabilities were addressed in IBM Library Support for Spring 2.7 Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super typ...
Security Bulletin: IBM SPSS Modeler is affected by multiple vulnerabilities in DataView
Summary IBM SPSS Modeler is affected by multiple vulnerabilities in DataView. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2021-33036 DESCRIPTION: In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can...
Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server and WebSphere Application Server Liberty shipped with IBM Guardium Key Lifecycle Manager (GKLM)
Summary WebSphere Application Server and WebSphere Application Server Liberty is shipped as a component of IBM Guardium Key Lifecycle Manager GKLM. Information about security vulnerabilities affecting WebSphere Application Server and WebSphere Application Server Liberty has been published in a...
Security Bulletin: Security vulnerability has been found in WebSphere Application Server shipped with IBM Guardium Key Lifecycle Manager (SKLM/GKLM)
Summary WebSphere Application Server is shipped as a component of IBM Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed...
Security Bulletin: Security vulnerability has been found in WebSphere Application Server shipped with IBM Guardium Key Lifecycle Manager (SKLM/GKLM)
Summary WebSphere Application Server is shipped as a component of IBM Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed...
Security Bulletin: Vulnerability in BIND (CVE-2026-3592, CVE-2026-5946) affects AIX/ VIOS.
Summary CVE-2026-3592: Resolver queries a specially crafted zone containing self-pointed glue records, causing disproportionate resource consumption. CVE-2026-5946: Specially crafted DNS messages using non-IN classes e.g., CHAOS, HESIOD, ANY, NONE trigger assertion failures, terminating the named...
Security Bulletin: Vulnerability in BIND (CVE-2026-1519) affects AIX/ VIOS.
Summary When a BIND 9 resolver performs DNSSEC validation on a maliciously crafted DNS zone, an attacker can trigger excessive NSEC3 iterations during insecure delegation validation. This causes the named process to consume excessive CPU resources, potentially making the resolver unavailable...
Security Bulletin: Vulnerability in BIND (CVE-2025-13878) affects AIX/ VIOS.
Summary A remote attacker can send or trigger processing of malformed BRID/HHIT DNS resource records, causing the named daemon to terminate unexpectedly. Vulnerability Details CVEID:CVE-2025-13878 DESCRIPTION: Malformed BRID/HHIT records can cause named to terminate unexpectedly. This issue affec...
Security Bulletin: Security vulnerabilities have been found in WebSphere Application Server shipped with IBM Guardium Key Lifecycle Manager (SKLM/GKLM)
Summary WebSphere Application Server is shipped as a component of IBM Guardium Key Lifecycle Manager SKLM/GKLM. Information about security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed...
Security Bulletin: Multiple Vulnerabilities in IBM Bob
Summary Multiple vulnerabilities were addressed in IBM Bob V 2.0 Vulnerability Details CVEID:CVE-2026-41676 DESCRIPTION: rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive and PkeyCtxRef::derive sets len = buf.len and passes it...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a remote code execution vulnerability (CVE-2026-11536)
Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a remote code execution vulnerability in the SOAP/JMX connector. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a remote code execution vulnerability (CVE-2026-11536)
Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a remote code execution vulnerability in the SOAP/JMX connector. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a remote code execution vulnerability (CVE-2026-11536)
Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a remote code execution vulnerability in the SOAP/JMX connector. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Version...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability (CVE-2026-9006)
Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability with the Ajax Proxy configured. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Product...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability (CVE-2026-9006)
Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability with the Ajax Proxy configured. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability (CVE-2026-9006)
Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability with the Ajax Proxy configured. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by an authentication bypass vulnerability (CVE-2026-10845)
Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by an authentication bypass vulnerability when a JAX-WS application is deployed. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by an authentication bypass vulnerability (CVE-2026-10845)
Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by an authentication bypass vulnerability when a JAX-WS application is deployed. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Product...
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by an authentication bypass vulnerability (CVE-2026-10845)
Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by an authentication bypass vulnerability when a JAX-WS application is deployed. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are affected by multiple vulnerabilities (CVE-2026-8646, CVE-2026-9320, CVE-2026-9071)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are affected by HTTP request smuggling and a denial of service. This affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1,...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are affected by multiple vulnerabilities (CVE-2026-8646, CVE-2026-9320, CVE-2026-9071)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are affected by HTTP request smuggling and a denial of service. This affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1,...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM Enterprise Application Runtimes, are affected by multiple vulnerabilities (CVE-2026-8646, CVE-2026-9320, CVE-2026-9071)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM Enterprise Application Runtimes, are affected by HTTP request smuggling and a denial of service. This affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1,...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are affected by multiple vulnerabilities (CVE-2026-8646, CVE-2026-9320, CVE-2026-9071)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are affected by HTTP request smuggling and a denial of service. This affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1,...
Security Bulletin: IBM i is Affected by Algorithm Downgrade in Transport Layer Security [CVE-2026-4942]
Summary IBM i Transport Layer Security TLS is vulnerable to selection of less-secure algorithm during negotation CVE-2026-4942 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2026-4942 DESCRIPTION: IBM i could allow a remote attacker to send a specifically craft...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty (bundled with IBM WebSphere Hybrid Edition) are affected by multiple vulnerabilities when using Web Server Plug-ins(CVE-2026-9072, CVE-2026-8858, CVE-2026-10852)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are affected by remote code execution and a denial of service when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Applicatio...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty bundled with IBM Cloud Pak for Applications, are affected by vulnerabilities using Web Server Plug-ins (CVE-2026-9072, CVE-2026-8858, CVE-2026-10852)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are affected by remote code execution and a denial of service when using the optional and separately installable Web Server Plug-ins for IBM WebSphere...
Security Bulletin: Multiple vulnerabilities that affects IBM Db2 Genius Hub
Summary The following dependency packages are being used by IBM Db2 Genius Hub. flatted-3.3.3.tgz , axios-1.15.1.tgz, immutable-4.0.0-rc.12.tgz , lodash-4.17.23.tgz, jspdf-3.0.2.tgz , swiper-11.2.10.tgz , picomatch-2.3.1.tgz , axios-1.12.2.tgz , router-1.23.0.tgz , minimatch-10.2.1.tgz ,...
Security Bulletin: Path Traversal Vulnerability in File Component Leading to Arbitrary File Read and Authentication Bypass
Summary A path traversal vulnerability existed in the File component's tar archive extraction functionality. An authenticated user could upload a specially crafted tar archive containing symbolic links to read arbitrary files accessible to the application process. The vulnerability allowed an...
Security Bulletin: Parameter Injection Vulnerability in API Graph Execution Engine
Summary A parameter injection vulnerability existed in the API Graph Execution Engine's tweaks processing mechanism. The vulnerability allowed authenticated attackers to bypass security controls and inject malicious parameters into flow components at runtime. An attacker with valid API credential...
Security Bulletin: MCP Server Configuration Validator Bypass via File Upload API
Summary A validation bypass vulnerability existed in the File Manager API that could allow an authenticated attacker to upload malicious MCP server configurations. The file upload endpoint accepted mcpservers.json files without invoking the MCPServerConfig validator, while the structured MCP API...
Security Bulletin: Path Traversal Vulnerability in API Request Component Content-Disposition Header Processing
Summary A path traversal vulnerability existed in the API Request component's response handling logic. An authenticated attacker could craft a malicious server response with a specially crafted Content-Disposition header containing directory traversal sequences. When a victim configured an API...
Security Bulletin: SSRF Protection Configuration Vulnerability
Summary A configuration vulnerability was identified where SSRF Server-Side Request Forgery protection could be disabled through default settings, potentially allowing authenticated users to make the server fetch arbitrary URLs including cloud metadata endpoints 169.254.169.254, internal services...
Security Bulletin: Unauthenticated User Registration Could Lead to Remote Code Execution
Summary An attacker could create accounts on an exposed instance without authentication through the user registration API. If an operator had configured newly created accounts to be active immediately, the attacker could then log in as that new user and reach code-execution functionality, which...
Security Bulletin: Remote Code Execution in CUGA Component CodeAgent
Summary An authenticated user could execute arbitrary commands on the server when the CUGA component is installed and a flow using CUGA's CodeAgent is created and executed. The vulnerability exists in the CodeAgent's Python code execution path, which permits object graph introspection to recover...
Security Bulletin: Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation
Summary A vulnerability allowed unauthenticated attackers to achieve remote code execution on default-configured instances. The vulnerability combined two distinct issues: an unauthenticated endpoint that issued superuser bearer tokens to any network caller, and a code validation endpoint that...
Security Bulletin: Unauthenticated Superuser Token Issuance via Auto-Login Endpoint
Summary An unauthenticated endpoint in the login API allowed any network-reachable attacker to obtain a 365-day superuser bearer token without requiring any credentials. The /api/v1/login/autologin endpoint issued tokens when the AUTOLOGIN configuration defaulted to True, enabling complete...
Security Bulletin: Arbitrary Code Execution in Python Interpreter Component
Summary A vulnerability in the Python Interpreter component allowed authenticated users to execute arbitrary Python code and escalate privileges to superuser level. An attacker with valid credentials could bypass security controls through the PythonREPLComponent, directly access the database, and...
Security Bulletin: Path Traversal in APIRequest Component via Content-Disposition Header
Summary A path traversal vulnerability existed in the APIRequest component when the "Save to File" feature was enabled. The component extracted filenames from server-controlled Content-Disposition headers without proper sanitization, allowing an attacker-controlled HTTP response to write files to...