Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
AnalysisAI
Remote code execution in IBM Engineering Lifecycle Management (ELM) versions 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 allows an attacker with administrative privileges to execute arbitrary code via an exposed method that is not properly restricted (CWE-749). At time of analysis there is no public exploit identified and EPSS is very low (0.01%), but the SSVC technical impact is rated total, making this a high-impact post-authentication issue against ELM administrators. IBM has published a patch advisory and CVSS is 7.2 (AV:N/AC:L/PR:H/UI:N/C:H/I:H/A:H).
Technical ContextAI
IBM Engineering Lifecycle Management is an enterprise application lifecycle and requirements management suite (formerly Rational/Jazz-based products such as DOORS Next, Engineering Workflow Management, Engineering Test Management) typically deployed on WebSphere Liberty/Jazz Team Server stacks. CWE-749 (Exposed Dangerous Method or Function) indicates that an internal administrative or management method was reachable through the application's interface without sufficient restrictions, allowing an authenticated administrator to invoke functionality that crosses the boundary into arbitrary code execution on the server. The CPE cpe:2.3:a:ibm:engineering_lifecycle_management:*:*:*:*:*:*:*:* confirms the affected product family without narrowing further at the version level, so the EUVD/IBM-supplied version ranges are the authoritative scoping source.
RemediationAI
Apply the patch available per vendor advisory at https://www.ibm.com/support/pages/node/7274077, upgrading beyond Interim Fix 021 on 7.0.3, beyond Interim Fix 009 on 7.1.0, and beyond Interim Fix 001 on 7.2.0 (exact fixed Interim Fix designations should be taken from the IBM support page, which is the authoritative source). Until the patch is rolled out, treat ELM administrator accounts as Tier-0: enforce MFA on all admin logins, restrict administrative console access to a dedicated jump-host or VPN segment rather than exposing it to the corporate network, audit and reduce the membership of ELM administrative groups, and monitor application and OS-level logs on the Jazz Team Server for unexpected process creation by the WebSphere/Liberty service account - the trade-off is operational friction for administrators and additional logging volume, with no functional loss to end users.
A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix
A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix
A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix
Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote
XML External Entity (XXE) injection in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows authent
IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. R
IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to obtain sensitive information when an e
Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31951
GHSA-p33w-c5h4-h687