Skip to main content

Activematrix Businessworks CVE-2026-3912

| EUVDEUVD-2026-15021 HIGH
Improper Input Validation (CWE-20)
2026-03-24 tibco GHSA-cprf-3qg3-3hp4
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 21:01 euvd
EUVD-2026-15021
Analysis Generated
Mar 24, 2026 - 21:01 vuln.today
CVE Published
Mar 24, 2026 - 20:44 nvd
HIGH 8.7

DescriptionCVE.org

Injection vulnerabilities due to validation/sanitisation of user-supplied input in ActiveMatrix BusinessWorks and Enterprise Administrator allows information disclosure, including exposure of accessible local files and host system details, and may allow manipulation of application behaviour.

AnalysisAI

This is an injection vulnerability affecting TIBCO ActiveMatrix BusinessWorks and Enterprise Administrator due to insufficient validation and sanitization of user-supplied input. The vulnerability allows attackers to disclose sensitive information including local files and host system details, and may enable manipulation of application behavior. No CVSS score, EPSS data, or active exploitation reports are currently available, but the vendor has issued a security advisory indicating patches are available.

Technical ContextAI

The vulnerability stems from improper input validation and sanitization mechanisms in TIBCO ActiveMatrix BusinessWorks and Enterprise Administrator platforms. The root cause falls under injection vulnerability classifications (likely CWE-94, CWE-78, or similar code injection/command injection families) where user-supplied input is not properly filtered before being processed by the application. ActiveMatrix BusinessWorks is TIBCO's business process management and integration platform, while Enterprise Administrator is the management interface for TIBCO products. The injection flaw occurs at the input handling layer, allowing attackers to inject malicious payloads that bypass validation routines and are subsequently interpreted as code or commands by the backend system. Affected products are identified via CPE strings cpe:2.3:a:tibco:activematrix_businessworks and cpe:2.3:a:tibco:enterprise_administrator, with all versions potentially in scope until patched.

RemediationAI

Apply the security patches released by TIBCO as detailed in the March 24, 2026 security advisory at https://community.tibco.com/advisories/tibco-security-advisory-march-24-2026-tibco-activematrix-businessworks-cve-2026-3912-r227/. The advisory specifies patched versions for both ActiveMatrix BusinessWorks and Enterprise Administrator; upgrade to these versions immediately. As interim controls pending patching, implement strict input validation at the application boundary by deploying a Web Application Firewall (WAF) with rules to detect and block injection payloads targeting these products. Additionally, restrict network access to ActiveMatrix BusinessWorks and Enterprise Administrator interfaces to trusted administrative ranges only, enforce strong authentication (multi-factor authentication where possible), and monitor application logs for suspicious input patterns or file access attempts that may indicate exploitation attempts.

Share

CVE-2026-3912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy