Skip to main content

IBM Engineering Lifecycle Management CVE-2026-3603

| EUVDEUVD-2026-31952 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-26 ibm GHSA-2589-88hx-72gf
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 10:12 vuln.today

DescriptionCVE.org

IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

AnalysisAI

XML External Entity (XXE) injection in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows authenticated attackers to disclose sensitive information or exhaust memory resources by submitting crafted XML data to the application. The flaw carries a CVSS 7.1 (High) rating with low attack complexity over the network, but EPSS is only 0.02% (5th percentile) and there is no public exploit identified at time of analysis. SSVC classifies exploitation as 'none' with partial technical impact, indicating low immediate urgency despite the vendor-released patch.

Technical ContextAI

The vulnerability is rooted in CWE-611 (Improper Restriction of XML External Entity Reference), a class of bug in which an XML parser resolves external entities defined inside a DOCTYPE declaration without restriction. When the IBM ELM application processes attacker-supplied XML, the parser can be coerced into fetching local files, internal network resources, or expanding entities recursively to exhaust memory (billion-laughs style). The affected product, per CPE cpe:2.3:a:ibm:engineering_lifecycle_management, is IBM's integrated suite for requirements, change, and quality management across Engineering Workflow Management, DOORS Next, and related Jazz-platform components, which commonly exchange XML payloads via REST and OSLC interfaces.

RemediationAI

Apply the vendor-released patch referenced in the IBM advisory at https://www.ibm.com/support/pages/node/7274078, which addresses the affected 7.0.3, 7.1.0, and 7.2.0 Interim Fix levels - the input data confirms a patch is available from IBM but does not specify a single fixed Interim Fix number, so consult the advisory for the exact remediated build for your branch. As a compensating control until patching, restrict ELM application accounts to the minimum trusted user population (since exploitation requires authentication), audit and tighten network egress from the ELM server to prevent out-of-band data exfiltration via XXE callbacks, and monitor for unusual outbound DNS/HTTP traffic from the ELM JVM; note that disabling XML ingestion entirely is generally not feasible because OSLC and REST integrations depend on it. If your deployment uses external XML-consuming integrations, validate that those endpoints sit behind authenticated, internal-only network paths.

CVE-2023-40958 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2023-40957 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2023-40955 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2026-3660 CRITICAL
9.8 May 26

Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote

CVE-2026-4051 HIGH
7.2 May 26

Remote code execution in IBM Engineering Lifecycle Management (ELM) versions 7.0.3 through Interim Fix 021, 7.1.0 throug

CVE-2021-20502 HIGH
7.1 Mar 30

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. R

CVE-2021-20371 MEDIUM
6.5 Jun 02

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to obtain sensitive information when an e

CVE-2025-36033 MEDIUM
5.4 Feb 03

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

CVE-2021-29670 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-29668 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-20348 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve

CVE-2021-20347 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve

Share

CVE-2026-3603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy