Security Bulletin: Vulnerability in pip package affects IBM Db2 Data Management Console(CVE-2019-20916)

Summary pip dependency package is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2019-20916 DESCRIPTION: The pip package before 19.2 for Python allows Directory Traversal when a URL is given in...

Security Bulletin: Werkzeug Multipart Parser Denial of Service via Malformed File Upload

Summary Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on...

Security Bulletin: IBM Sterling Connect:Direct Web Services vulnerable to spring-security-core-6.4.3.jar (CVE-2025-41232)

Summary IBM Sterling Connect:Direct Web Services is vulnerable to a Protection Mechanism Failure in Spring Security v6.4.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41232 DESCRIPTION: Spring Security Aspects may not correctly locate...

Security Bulletin: Werkzeug < 3.0.6 - Multipart Form Data Parsing Resource Exhaustion Vulnerability

Summary Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests e.g. all flask applications are vulnerable to a relatively simple but...

Security Bulletin: RabbitMQ HTTP API Vulnerability Allows Authenticated DoS via Large Message Payloads

Summary RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service DoS attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by arbitrary code execution

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by arbitrary code execution CVE-2025-36038 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions...

Security Bulletin: Jinja Template Sandbox Escape via Indirect str.format Execution Prior to 3.1.5

Summary Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control...

Security Bulletin: Mongoose Improper Handling of Nested $where in populate() Match Allows Search Injection

Summary Mongoose improper handling of nested $where in populate match allows search injection due to incomplete fix for CVE-2024-53900. Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search...

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to loss of confidentiality [CVE-2025-6545] [CVE-2025-6547]

Summary Node.js module pbkdf2 is used by IBM App Connect Enterprise Certified Container when accessing BAR files stored in COS S3 storage. IBM App Connect Enterprise Certified Container Dashboard operands that access BAR files stored in COS S3 storage are vulnerable to loss of confidentiality. Th...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Remote Code Execution and improper preservation of permissions due to jsonpath-plus & snowflake-sdk (CVE-2025-1302 & CVE-2025-24791)

Summary IBM App Connect Enterprise runtime, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor are vulnerable to Remote Code Execution RCE and improper preservation of permissions due to jsonpath-plus & snowflake-sdk. Vulnerabilit...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection (CVE-2025-0966)

Summary A SQL injection vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-0966 DESCRIPTION: IBM InfoSphere Information Server vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the...

Security Bulletin: IBM InfoSphere DataStage Flow Designer is vulnerable due to cleartext transmission of sensitive information (CVE-2025-36034)

Summary A disclosure of sensitive information vulnerability in InfoSphere DataStage Flow Designer was addressed. Vulnerability Details CVEID:CVE-2025-36034 DESCRIPTION: IBM InfoSphere DataStage Flow Designer discloses sensitive user information in API requests in clear text that could be...

Security Bulletin: Vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2025-36038)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about an arbitrary code execution vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...

Security Bulletin: IBM Cloud Transformation Advisor is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Cloud Transformation Advisor. Vulnerability Details CVEID:CVE-2025-48997 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and pri...

Security Bulletin: AIX is vulnerable to denial of service and possible code execution due to Perl (CVE-2024-8176, CVE-2024-56406)

Summary Vulnerability in AIX's Perl could allow an attacker to cause a denial of service and possibly execute code CVE-2024-8176, CVE-2024-56406. AIX uses Perl in various operating system components. Vulnerability Details CVEID:CVE-2024-8176 DESCRIPTION: A stack overflow vulnerability exists in t...

Security Bulletin: IBM QRadar Hub for IBM QRadar SIEM is vulnerable to using a component with known vulnerabilities (CVE-2025-27152)

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar Hub for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a promise based HTTP clien...

Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2025-27152, CVE-2025-27789)

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar Deployment Intelligence app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms

Summary Multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in April 2025. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerabili...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities in IBM Java SDK ( CVE-2025-21587,CVE-2025-30698 & CVE-2025-4447)

Summary There are multiple vulnerabilities in IBM Java SDK, Java Technology Edition used by IBM App Connect Enterprise and IBM Integration Bus for z/OS . Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allo...

Security Bulletin: There is a vulnerability in prism-1.28.0.jsused by IBM Maximo Asset Management application ( CVE-2024-53382)

Summary There is a vulnerability in prism-1.28.0.js used by IBM Maximo Asset Management application CVE-2024-53382 Vulnerability Details CVEID:CVE-2024-53382 DESCRIPTION: Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS for untrusted input that contains HTML but does not...

Security Bulletin: There is a vulnerability in flask-3.1.0-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-47278)

Summary There is a vulnerability in flask-3.1.0-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-47278 DESCRIPTION: Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0, the way fallback...

Security Bulletin: There is a vulnerability in poi-ooxml-5.3.0.jarused by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-31672)

Summary There is a vulnerability in poi-ooxml-5.3.0.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-31672 DESCRIPTION: Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like...

Security Bulletin: Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management

Summary Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management have been delivered in 2.3 FP11 Vulnerability Details CVEID:CVE-2024-54467 DESCRIPTION: A cookie management issue was addressed with improved state management. This issue is fixed in watchOS 11, macOS Sequoia 15, Safari 1...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.12.tgz which is vulnerable to CVE-2025-31486

Summary Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.12.tgz which is vulnerable to CVE-2025-31486. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-31486 DESCRIPTION: Vite is a frontend tooling...

Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.

Summary IBM Storage Protect Server uses IBM Db2 and may be affected by multiple vulnerabilities which could lead to denial of service, remote code execution or loss of confidentiality, integrity or availability. CVE-2023-39976, CVE-2023-40373, CVE-2023-40372, CVE-2023-30987, CVE-2023-38719,...

Security Bulletin: Fusion Data Foundation is vulnerable to CVE-2022-25883 in emver-5.7.1.tgz, semver-6.3.0.tgz, semver-7.3.8.tgz

Summary emver-5.7.1.tgz, semver-6.3.0.tgz, semver-7.3.8.tgz is used by Fusion Data Foundation in management-console. This bulletin identifies the steps to take to address the vulnerability CVE-2022-25883 in IBM Storage Fusion Data Foundation. Vulnerability Details CVEID:CVE-2022-25883 DESCRIPTION...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to nodejs in the management console (CVE-2021-3807)

Summary Node.js is used by IBM Storage Fusion Data Foundation in the management console and is vulnerable to a denial of service. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2021-3807. Vulnerability Details CVEID:CVE-2021-3807...

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Storage Protect Server

Summary Multiple vulnerabilities exist in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Storage Protect Server. CVE-2024-21235, CVE-2024-21217, CVE-2024-21210, CVE-2024-21208, CVE-2024-10917. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE...

Security Bulletin: IBM Storage Fusion Data Foundation is affected DOS caused by specially crafted regex or prototype pollution flaw (CVE-2022-37599, CVE-2022-37603, CVE-2022-37601)

Summary IBM Storage Fusion Data Foundation is used by IBM Storage Fusion Data Foundation. The application server takes input and crafted regex can cause the exploit to Denial of service. CVE-2022-37599, CVE-2022-37603, CVE-2022-37601. Vulnerability Details CVEID:CVE-2022-37599 DESCRIPTION:...

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Storage Server (CVE-2025-1470, CVE-2025-1471).

Summary IBM Storage Protect Server is affected by multiple vulnerabilities in the IBM® SDK Java™ Technology Edition, Version 8. These vulnerabilities could potentially affect OpenJ9 internal ASCII to EBCDIC string wrapper on z/OS. Vulnerability Details CVEID:CVE-2025-1470 DESCRIPTION: In Eclipse...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CVE-2025-27144 in different components

Summary Go is used by IBM Storage Fusion Data Foundation in csi-dirver, odf-cli-container, ocs-operator-container, msc-operator-container, odf-multicluster-operator-container, rook-ceph-operator and ocs-metrics-exporter-container as part of CVE-2025-27144. This bulletin identifies the steps to ta...

Security Bulletin: IBM Storage Protect Server is susceptible to vulnerabilities due to golang-JWT (CVE-2024-51744)

Summary Golang JWT is used by the IBM Storage Protect Server OSSM and Object Agent component. The vulnerabilities in the product component have been addressed. Vulnerability Details CVEID:CVE-2024-51744 DESCRIPTION: golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of th...

Security Bulletin: Denial of service vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Protect Operations Center (CVE-2025-23184).

Summary IBM Storage Protect Operations Center is affected by denial of service due to Apache CXF used by IBM WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2025-23184 DESCRIPTION: A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10...

Security Bulletin: Denial of service vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Protect Operations Center (CVE-2024-47535).

Summary IBM Storage Protect Operations Center is affected by denial of service due to Netty used by IBM WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CVE-2025-22150 in undici-6.20.1

Summary undici-6.20.1 is used by IBM Storage Fusion Data Foundation in management-console. This bulletin identifies the steps to take to address the vulnerability CVE-2025-22150 in IBM Storage Fusion Data Foundation. Vulnerability Details CVEID:CVE-2025-22150 DESCRIPTION: Undici is an HTTP/1.1...

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Storage Protect Operations Center (CVE-2025-1470, CVE-2025-1471).

Summary IBM Storage Protect Operations Center is affected by multiple vulnerabilities in the IBM® SDK Java™ Technology Edition, Version 8. These vulnerabilities could potentially affect OpenJ9 internal ASCII to EBCDIC string wrapper on z/OS. Vulnerability Details CVEID:CVE-2025-1470 DESCRIPTION: ...

Security Bulletin: Denial of service vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Protect Operations Center (CVE-2025-25193).

Summary IBM Storage Protect Operations Center is affected by denial of service due to Netty used by IBM WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to a denial of service via Node.js braces module (CVE-2024-4068)

Summary Node.js braces module is used by IBM Storage Fusion Data Foundation as part of CVE-2024-4068 which may lead denial of services. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. Vulnerability Details CVEID:CVE-2024-4068...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CVE-2024-4067 in micromatch-4.0.4

Summary micromatch-4.0.4 is used by IBM Storage Fusion Data Foundation in management-console. This bulletin identifies the steps to take to address the vulnerability CVE-2024-4067 in IBM Storage Fusion Data Foundation. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: The NPM package...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CVE-2022-46175

Summary JSON5 is used by IBM Storage Fusion Data Foundation in the management-console and could allow a remote authenticated attacker to execute arbitrary code on the systemas part of CVE-2022-46175. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Dat...

Security Bulletin: IBM Storage Fusion Data Foundation may be affected by a vulnerability in SSH servers for FTP (CVE-2025-22869)

Summary A vulnerability in SSH server with capability of file transfer protocols can be exploited to denial of service DOS. The vulnerability may affect product IBM Storage Fusion Data Foundation. CVE-2025-22869. Vulnerability Details CVEID:CVE-2025-22869 DESCRIPTION: SSH servers which implement...

Security Bulletin: IBM Storage Fusion is affected by exposure of information through cross-site scripting or data queries (CVE-2023-45288, CVE-2023-3978)

Summary IBM Storage Fusion Data Foundation uses HTTP to communicate. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2023-45288, CVE-2023-3978. Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: An attacker may cause an HTTP/...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CWE in management-console (CVE-2021-44906)

Summary IBM Storage Fusion Data Foundation is affected in management-console. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2021-44906. Vulnerability Details CVEID:CVE-2021-44906 DESCRIPTION: Node.js Minimist module could allow ...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to minimatch in management-console (CVE-2022-3517)

Summary minimatch package is used by IBM Storage Fusion Data Foundation in management-console. The product may be vulnerable to DOS by calling the braceExpand function with specific arguments. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data...

Security Bulletin: IBM WebSphere Application Server is affected by arbitrary code execution (CVE-2025-36038)

Summary IBM WebSphere Application Server is affected by arbitrary code execution. Vulnerability Details CVEID:CVE-2025-36038 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.10.0 Vulnerability Details CVEID:CVE-2025-46727 DESCRIPTION: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.18.tgz CVE-2025-46565 vulnerability

Summary Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.18.tgz CVE-2025-46565.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-46565 DESCRIPTION: Vite is a frontend tooling framework for javascrip...

Security Bulletin: IBM Jazz for Service Management is vulnerable due to Apache ActiveMQ Jolokia Remote Code Execution

Summary IBM Jazz for Service Management is vulnerable due to Apache ActiveMQ Jolokia Remote Code Execution CVE-2022-41678 Vulnerability Details CVEID:CVE-2022-41678 DESCRIPTION: Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ...

Security Bulletin: IBM Jazz for Service Management is vulnerable due to Apache ActiveMQ Memory Allocation with Excessive Size Value vulnerability

Summary IBM Jazz for Service Management is vulnerable due to Apache ActiveMQ Memory Allocation with Excessive Size Value vulnerability CVE-2025-27533 Vulnerability Details CVEID:CVE-2025-27533 DESCRIPTION: Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses commons-io: 2.7 which is vulnerable to CVE-2024-47554

Summary Security Bulletin: IBM Maximo Application Suite - Manage Component uses commons-io: 2.7 which is vulnerable to CVE-2024-47554. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource...