Security Bulletin: PrismMatching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component which affects IBM watsonx.data

Summary PrismMatching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied. These can affect...

Security Bulletin: Using untrusted strings with .replace on Babel-compiled regex named capturing groups can lead to performance degradation, which affects IBM watsonx.data

Summary Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific...

Security Bulletin: IBM WebSphere Application Server, which is bundled with WebSphere Remote Server, is affected by an arbitrary code execution vulnerability (CVE-2025-36038)

Summary IBM WebSphere Application Server is shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: Apache Tomcat Path Equivalence Vulnerability Enables RCE and Information Disclosure in Versions, which affects IBM watsonx.data

Summary Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1...

Security Bulletin: IBM Sterling Connect:Direct for Unix is vulnerable to various attacks due to IBM Runtime Environment Java Technology Edition Version 17

Summary IBM Java 17 is used by IBM Sterling Connect:Direct for UNIX in product configuration and data transmission. IBM Sterling Connect:Direct for UNIX is impacted by vulnerabilities in IBM Java 17. IBM Sterling Connect:Direct for UNIX has upgraded IBM Java 17 to address the issues. Vulnerabilit...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2025-36038)

Summary IBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...

Security Bulletin: IBM Jazz for Service Management is vulnerable to cross-site scripting via searchWord parameter.

Summary IBM Jazz for Service Management is vulnerable to cross-site scripting, allowing malicious scripts to be executed via the searchWord parameter on the static help page CVE-2024-52892. Vulnerability Details CVEID:CVE-2024-52892 DESCRIPTION: IBM Jazz for Service Management is vulnerable to...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to multiple issues due to IBM Runtime Environment Java Technology Edition Version 8

Summary There are vulnerabilities in IBM Runtime Environment Java Technology Edition Version 8 used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An...

Security Bulletin: Vulnerabilities in libsoup library (CVE-2025-32050, CVE-2025-32052, CVE-2025-32053, CVE-2025-32906, CVE-2025-32911, CVE-2025-32913, CVE-2025-46420, CVE-2025-46421) affect Power HMC.

Summary The libsoup library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-32050 DESCRIPTION: A flaw was found in libsoup. The libsoup appendparamquoted function may contain an overflow bug resulting in a buffer...

Security Bulletin: Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Apr 2025 - Includes Oracle April 2024 CPU plus CVE-2025-4447

Summary Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Apr 2025 - Includes Oracle April 2024 CPU plus CVE-2025-4447 Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component...

Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale

Summary There are multiple vulnerabilities in IBM Runtime Environment Java Version 8 used by WebSphere eXtreme Scale. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacker to cause high...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in httpclient5-5.4.2.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of httpclient5-5.4.2.jar Vulnerability Details CVEID:CVE-2025-27820 DESCRIPTION: A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification...

Security Bulletin: Vulnerabilities exists in IBM Netezza Analytics - NPS

Summary Vulnerabilities exist in IBM Netezza Analytics - NPS are addressed in 11.2.29 Vulnerability Details CVEID:CVE-2023-52425 DESCRIPTION: libexpat is vulnerable to a denial of service, caused by improper system resource allocation. By sending a specially crafted request using an overly large...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to runtime-7.24.8.tgz, runtime-7.26.0.tgz, runtime-7.26.9.tgz CVE-2025-27789

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to runtime-7.24.8.tgz, runtime-7.26.0.tgz, runtime-7.26.9.tgz CVE-2025-27789. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compil...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in path-to-regexp-0.1.10.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of path-to-regexp-0.1.10.tgz Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be...

Security Bulletin: IBM Sterling Connect:Direct Web Service is affected by multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote...

Security Bulletin: IBM Sterling Connect:Direct Web Service is affected by multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote...

Security Bulletin: Potential denial of service in X.509 name checks in OpenSSL affect Cloud Pak System [CVE-2024-6119]

Summary Potential denial of service in X.509 name checks in OpenSSL affect Cloud Pak System. Vulnerability was addressed by IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-6119 DESCRIPTION: Issue summary: Applications performing certificate name checks e.g., TLS clients checking server...

Security Bulletin: Security vulnerabilities were found in IBM Verify Identity Access Digital Credentials (CVE-2025-48387, CVE-2025-5889)

Summary Security vulnerabilities were addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside...

Security Bulletin: IBM OpenPages fixes vulnerability that exposes information about workflow configuration and internal details due to insufficient access control checks

Summary Vulnerability that exposes information about workflow configuration and internal details due to insufficient access control checks in IBM OpenPages has been addressed in the latest IBM OpenPages fix pack for 9.0 version. Vulnerability Details CVEID:CVE-2025-2670 DESCRIPTION: IBM OpenPages...

Security Bulletin: IBM OpenPages express-4.21.1.tgz vulnerability fixes (CVE-2024-52798)

Summary Security vulnerabilities related to express-4.21.1.tgz have been resolved in the latest IBM OpenPages fix packs for both versions 9.0 and 8.3. Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases,...

Security Bulletin: IBM OpenPages API permission security fixes

Summary Security fixes for a set of APIs that allowed unprivileged users to access sensitive information have been included in the latest IBM OpenPages fix packs for both versions 9.0 and 8.3. Vulnerability Details CVEID:CVE-2025-1112 DESCRIPTION: IBM OpenPages with Watson could allow an...

Security Bulletin: IBM OpenPages encryption fixes and enhancements

Summary Multiple encryption fixes and enhancements with IBM OpenPages have been addressed in the latest IBM OpenPages fixpacks for both 9.0 and 8.3 versions. Vulnerability Details CVEID:CVE-2024-49784 DESCRIPTION: IBM OpenPages could provide weaker than expected security in storage of encrypted...

Security Bulletin: IBM OpenPages fixes cross-spawn package vulnerability

Summary Vulnerability in the cross-spawn package with IBM OpenPages has been addressed in the latest IBM OpenPages fix packs for both 9.0 and 8.3 versions. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2025-36038)

Summary IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed ...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2025-36038)

Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixe...

Security Bulletin: Security Vulnerabilities in Java affect IBM Voice Gateway

Summary Security Vulnerabilities in Java affect IBM Voice Gateway Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacker to cause high confidentiality and high integrity impact. CWE:CWE-284...

Security Bulletin: Due to use of IBM Tivoli Monitoring , IBM Cloud Pak System is affected by multiple vulnerabilities.

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-39573 DESCRIPTION: Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the modrewrite. By sending a specially crafted request, an attacker could exploit...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-web-5.3.26.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-web-5.3.26.jar Vulnerability Details CVEID:CVE-2024-22243 DESCRIPTION: Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on t...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in dompurify-2.5.8.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of dompurify-2.5.8.tgz Vulnerability Details CVEID:CVE-2025-26791 DESCRIPTION: DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting mXSS. CWE:CWE-79:...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in netty-common-4.1.115.Final.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of netty-common-4.1.115.Final.jar Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. ...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-webmvc-5.3.27.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-webmvc-5.3.27.jar Vulnerability Details CVEID:CVE-2024-38828 DESCRIPTION: Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS attack. CWE:CWE-400: Uncontrolled Resource...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in nanoid-2.1.11.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of nanoid-2.1.11.tgz Vulnerability Details CVEID:CVE-2024-55565 DESCRIPTION: nanoid aka Nano ID before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. CWE:CWE-835: Loop with Unreachable Exit Condition...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-security-core-5.8.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-security-core-5.8.5.jar Vulnerability Details CVEID:CVE-2024-38827 DESCRIPTION: The usage of String.toLowerCase and String.toUpperCase has some Locale dependent exceptions that could potentially result in...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in kafka-clients-3.4.0.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of kafka-clients-3.4.0.jar Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in netty-common-4.1.100.Final.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of netty-common-4.1.100.Final.jar Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in cookie-0.4.1.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of cookie-0.4.1.tgz Vulnerability Details CVEID:CVE-2024-47764 DESCRIPTION: cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in a...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by arbitrary code execution (CVE-2025-36038)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by arbitrary code execution. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by arbitrary code execution (CVE-2025-36038)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by arbitrary code execution. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions|...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by arbitrary code execution (CVE-2025-36038)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by arbitrary code execution. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions|...

Security Bulletin: IBM Analytics Content Hub is affected by security vulnerabilities

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Analytics Content Hub. Additionally, IBM Analytics Content Hub is vulnerable to Unrestricted File Upload, Information Disclosure, Java Source Map and Verbose Messaging vulnerabilities. This Security...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and improper input validation [CVE-2025-3262] [CVE-2025-3263] [CVE-2025-3264] [CVE-2025-3777]

Summary Python module transformers is used by IBM App Connect Enterprise Certified Container by the mapping assistance capability. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and improper input validatio...

Security Bulletin: IBM Financial Transaction Manager is impacted by multiple vulnerabilities in RedHat Proxy for Kubernetes RBAC authorization

Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerabilities. Vulnerability Details CVEID:CVE-2025-22868 DESCRIPTION: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CWE:CWE-1286: Improper...

Security Bulletin: Multiple vulnerabilities within WebSphere Application and IBM HTTP Server, affect IBM Tivoli Monitoring.

Summary Multiple vulnerabilities within WebSphere Application and IBM HTTP Server which is included as part of IBM Tivoli Monitoring ITM portal server have been remediated. Vulnerability Details CVEID:CVE-2025-33104 DESCRIPTION: IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to...

Security Bulletin: Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering which affects IBM watsonx.data

Summary Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript, because document.currentScript lookup can be shadowed by attacker-injected HTML elements. These can affect watsonx.data. Vulnerability...

Security Bulletin: Oracle Outside In Technology (OIT) security vulnerabilities in FileNet Content Manager (FNCM) Content Based Retrieval (CBR) content indexing

Summary Oracle Outside In Technology OIT CVE-2024-45492, CVE-2024-25269, CVE-2024-36052, CVE-2023-39743 security vulnerabilities in FileNet Content Manager FNCM Content Based Retrieval CBR content indexing. Vulnerability Details CVEID:CVE-2024-45492 DESCRIPTION: libexpat could allow a local...

Security Bulletin: Apache Axis1 CVE-2023-51441 security vulnerability in FileNet Content Manager, Process Engine Process Orchestration

Summary Apache Axis1 CVE-2023-51441 security vulnerability in FileNet Content Manager, Process Engine Process Orchestration. Affected, not vulnerable Vulnerability Details CVEID:CVE-2023-51441 DESCRIPTION: Apache Axis is vulnerable to server-side request forgery, caused by a improper input...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in commons-io-2.8.0.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of commons-io-2.8.0.jar Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consu...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM)

Summary WebSphere Application Server is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...

Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses an application is vulnerable to a reflected file download (RFD) attack.

Summary Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses an application is vulnerable to a reflected file download RFD attack.The filename is derived from user-supplied input but sanitized by the application. Vulnerability Details CVEID:CVE-2025-41234 DESCRIPTION:...