Skip to main content

IBM

5580 CVEs vendor

Monthly

CVE-2026-4101 HIGH PATCH This Week

Authentication bypass in IBM Verify Identity Access and IBM Security Verify Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both container and non-container deployments) allows remote attackers to gain unauthorized access under specific high-load conditions without authentication. The vulnerability carries an EPSS score indicating moderate exploitation probability, with vendor patch available but no confirmed active exploitation or public proof-of-concept at time of analysis. Attack complexity is rated high (AC:H), suggesting exploitation requires specific timing or environmental conditions related to load stress.

IBM Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-4364 MEDIUM PATCH This Month

IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.

IBM XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13855 HIGH PATCH This Week

SQL injection in IBM Storage Protect Server 8.2.0 and Storage Protect Plus Server allows authenticated remote attackers to execute arbitrary SQL commands against the back-end database, enabling unauthorized data access, modification, or deletion. The vulnerability requires low attack complexity and low-level privileges (CVSS 7.6, PR:L), making it exploitable by any authenticated user. No public exploit identified at time of analysis, though SQL injection techniques are well-documented. EPSS data not provided, but SQL injection vulnerabilities historically see moderate exploitation rates when authentication barriers are low.

IBM SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-2100 HIGH PATCH This Week

Denial of service in p11-kit's PKCS#11 RPC client allows a malicious remote token to trigger a NULL pointer dereference or undefined behavior in applications consuming derive-key operations. The flaw is reachable when an application calls C_DeriveKey against a remote token using IBM Kyber or IBM BTC derive mechanisms whose parameters are NULL, with the RPC client returning an uninitialized value. EPSS is low (0.10%) and no public exploit identified at time of analysis; SSVC marks exploitation as none but automatable.

IBM Denial Of Service Memory Corruption Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +4
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-36187 MEDIUM PATCH This Month

IBM Knowledge Catalog Standard Cartridge versions 5.0.0 through 5.2.1 improperly store sensitive information in log files that can be read by local privileged users. An attacker with high privileges on the affected system can access these logs to disclose confidential data without requiring user interaction. While no active exploitation in the wild or public proof-of-concept has been reported, a vendor patch is available and should be applied promptly.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14684 MEDIUM PATCH This Month

IBM Maximo Application Suite Monitor Component versions 8.10, 8.11, 9.0, and 9.1 contain an improper neutralization vulnerability in log file handling that allows unauthorized users to inject arbitrary data into log messages. An attacker with local access can manipulate log entries to inject malicious content, potentially leading to log tampering and integrity compromise. While the CVSS score of 4.0 reflects low severity with no confidentiality or availability impact, the vulnerability requires no authentication or special privileges, making it a concern for environments with local access controls.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-14807 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

XSS IBM
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1015 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to send unauthorized requests from the affected system. This could enable network enumeration, lateral movement, or facilitate secondary attacks against internal systems. The vulnerability requires valid authentication credentials but presents moderate risk with a CVSS score of 5.4 and has an available patch from IBM.

IBM SSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1014 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability caused by improper handling of JSON server responses, allowing authenticated attackers to expose sensitive data. The vulnerability requires low-complexity network access with valid credentials but does not require user interaction, making it accessible to any authenticated user with network connectivity. No evidence of active exploitation in the wild has been identified, though a patch is available from the vendor.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2483 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter application functionality and potentially steal session credentials or perform actions on behalf of other users within a trusted browser session. A patch is available from IBM, and the vulnerability has a CVSS score of 5.4 with moderate real-world risk due to the requirement for prior authentication and user interaction.

IBM XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-64648 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-64647 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-2484 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to steal session tokens, capture credentials entered by other users, or perform actions on behalf of compromised administrators within a trusted session, potentially leading to unauthorized access to sensitive data integration and metadata management systems.

IBM XSS
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64646 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 suffer from improper buffer resource clearing that allows local attackers to read sensitive information directly from process memory without requiring privileges or user interaction. This information disclosure vulnerability (CVSS 6.2) affects IBM Concert across multiple versions and has a vendor patch available, though no evidence of active exploitation or public proof-of-concept has been reported in the provided intelligence.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-36440 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain a missing function-level access control vulnerability that allows local users to obtain sensitive information without authentication. An attacker with local system access can bypass authorization checks to read confidential data stored within the application. While the CVSS score of 5.1 indicates moderate severity, the lack of authentication requirements and local attack vector present a meaningful risk in multi-tenant or shared system environments.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-36438 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain an improper channel communication restriction vulnerability that allows privileged users to perform unauthorized actions by bypassing intended endpoint controls. The vulnerability, classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), has a CVSS score of 5.1 with medium integrity impact and is not currently listed in CISA's Known Exploited Vulnerabilities catalog, though a vendor patch is available.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-36422 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a cross-site request forgery (CSRF) vulnerability in the DataStage Flow Designer component that allows unauthenticated attackers to trigger unauthorized state-changing actions on behalf of authenticated users. The vulnerability has a CVSS score of 4.3 with low attack complexity and no privileges required, though it requires user interaction (UI:R). A vendor patch is available, and this represents an integrity-focused attack vector rather than confidentiality or availability impact.

IBM CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-36258 HIGH PATCH This Week

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 store user credentials and other sensitive information in plain text, allowing local users to read this data. This is a high-severity information disclosure vulnerability with a CVSS score of 7.1, primarily due to the potential for complete confidentiality breach across security boundaries. A patch is available from IBM, and there is no evidence of active exploitation or public proof-of-concept at this time.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2485 MEDIUM PATCH This Month

IBM Infosphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored cross-site scripting (XSS) vulnerability in the Web UI that allows privileged users to inject arbitrary JavaScript code, potentially leading to credential disclosure and session compromise. While a vendor patch is available, the attack requires high privileges and user interaction, resulting in a moderate CVSS score of 4.8. This vulnerability does not appear to have active exploitation in the wild or public proof-of-concept code, but should be prioritized for organizations running vulnerable versions in security-sensitive environments.

IBM XSS
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-14974 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with low privileges to access sensitive information they should not be authorized to view. An attacker on the same network segment with valid user credentials can bypass authorization controls to read confidential data, though they cannot modify or delete information. A vendor patch is available, and this vulnerability should be prioritized for organizations running affected versions as it enables privilege escalation and data exfiltration within trusted network environments.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-1262 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability (CWE-209) that allows authenticated attackers to access sensitive information over the network without user interaction. The vulnerability has a CVSS score of 4.3 with low attack complexity and low privileges required, meaning any logged-in user can exploit it. A vendor patch is available, reducing immediate risk for organizations that can deploy updates promptly.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14917 MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-14912 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to send unauthorized requests from the vulnerable system. This enables network enumeration, lateral movement, or facilitation of secondary attacks against internal or external resources. The vulnerability requires valid credentials to exploit but carries moderate real-world risk given the CVSS 5.4 score and the authenticated attack vector.

IBM SSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14915 MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 are vulnerable to privilege escalation due to improper access control (CWE-200: Information Exposure). A privileged user with existing authenticated access to the application server can exploit this vulnerability to gain additional unauthorized access to sensitive resources, potentially leading to information disclosure and integrity violations. While a CVSS score of 6.5 indicates moderate severity, the vulnerability requires high privileges to trigger (PR:H) and has no user interaction requirement, making it exploitable by insiders or compromised administrative accounts.

IBM Privilege Escalation Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14810 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 fail to invalidate user sessions when administrative privileges are revoked, allowing authenticated users to retain access to sensitive information they should no longer be able to access. The vulnerability affects the session management layer and requires an authenticated attacker with initial system access. A patch is available from IBM, and this represents a privilege escalation and information disclosure risk in enterprise data integration environments.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1561 MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a server-side request forgery (SSRF) vulnerability that allows authenticated remote attackers to send unauthorized requests from the vulnerable system. This exposure could enable network enumeration, internal service discovery, or facilitate secondary attacks against internal infrastructure. A patch is available from IBM, and the vulnerability requires authenticated access (PR:L) but has low attack complexity, making it a medium-priority issue for organizations running affected Liberty instances.

IBM SSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14808 LOW PATCH Monitor

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability where sensitive data is exposed through HTTP GET query strings, allowing attackers with low privileges and network access to obtain confidential information via man-in-the-middle techniques. The CVSS score of 3.1 reflects low severity due to high attack complexity and limited privileges required, though the vulnerability has a patch available from IBM and represents a classic cleartext credential exposure risk in enterprise data integration platforms.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-14790 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a credential protection vulnerability that allows authenticated attackers to extract sensitive information without requiring user interaction. An attacker with valid login credentials can exploit insufficiently protected credential storage mechanisms to obtain additional sensitive data, compromising confidentiality. A patch is available from IBM, and this vulnerability affects enterprise data integration infrastructure used by organizations managing information governance and metadata.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-12708 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-36051 MEDIUM PATCH This Month

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain an information disclosure vulnerability where sensitive configuration data is stored in plaintext or insufficiently protected files readable by unprivileged local users. An attacker with local filesystem access can read these configuration files to extract sensitive information such as credentials, API keys, or system parameters, potentially enabling lateral movement or further compromise of the SIEM infrastructure. A patch is available from IBM, and this vulnerability should be prioritized for organizations running affected QRadar versions as SIEM systems are high-value targets.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-13995 MEDIUM PATCH This Month

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-tenant information disclosure vulnerability that allows an authenticated attacker with access to one tenant account to retrieve hostname data belonging to other tenants. The vulnerability has a CVSS score of 5.0 with low attack complexity and requires only user-level privileges, making it a practical risk in multi-tenant deployments. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept code.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-15051 MEDIUM PATCH This Month

IBM QRadar SIEM contains a reflected or stored cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code, potentially altering system functionality and compromising the integrity of security monitoring. The vulnerability affects QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14. An attacker with valid credentials can craft malicious payloads to execute client-side code in the context of other users' sessions, leading to session hijacking, credential theft, or unauthorized configuration changes. A patch is available from IBM, and this vulnerability is not currently listed in CISA's KEV catalog, suggesting limited evidence of active exploitation in the wild at this time.

IBM XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1276 MEDIUM PATCH This Month

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter UI functionality and potentially steal session credentials or perform actions on behalf of the victim user within their trusted session. A patch is available from the vendor, though no public exploitation toolkit or widespread active exploitation has been reported at the time of this analysis.

IBM XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1264 HIGH PATCH This Week

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain an authentication bypass vulnerability that allows remote unauthenticated attackers to view and delete business partners within communities, as well as delete entire communities. Multiple versions are affected including 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0. While the CVSS score is 7.1 (High), the vulnerability requires low attack complexity and no user interaction, making it straightforward to exploit over the network with low privileges.

IBM Authentication Bypass Sterling B2b Integrator
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-14031 HIGH PATCH This Week

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash the application by sending a specially crafted request. The vulnerability affects multiple versions of both products (6.1.0.0 through 6.2.2.0 ranges) and has a high CVSS score of 7.5 due to its network-based attack vector requiring no authentication or user interaction. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept availability at this time.

IBM Command Injection Sterling B2b Integrator
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3856 MEDIUM PATCH This Month

CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Microsoft IBM Information Disclosure Db2 Recovery Expert Windows
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1376 HIGH PATCH This Week

A resource exhaustion vulnerability in IBM i 7.6 allows unauthenticated remote attackers to cause a denial of service by overwhelming the system with failed authentication attempts. The vulnerability stems from improper resource allocation during authentication processing, enabling attackers to consume system resources without valid credentials. While no active exploitation or proof-of-concept has been reported, the high CVSS score of 7.5 reflects the ease of remote exploitation without authentication.

IBM Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-1267 MEDIUM PATCH This Month

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) that allows authenticated users to access sensitive application data and administrative functionalities beyond their authorization level. An attacker with valid credentials can leverage this flaw to read confidential planning and analytics data, escalate privileges, or access administrative functions without proper authorization. A vendor patch is available, and this represents a moderate-to-high risk for organizations running affected versions in production environments.

Authentication Bypass IBM Information Disclosure Planning Analytics Local
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14806 MEDIUM PATCH This Month

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain a cache poisoning vulnerability (CWE-524) where attackers can manipulate the caching mechanism to store and serve sensitive, user-specific responses as publicly cacheable resources, resulting in information disclosure to unauthorized users. The vulnerability requires low attack complexity and user interaction but only affects confidentiality with a CVSS score of 5.7. A patch is available from the vendor, and this represents a moderate-priority issue requiring prompt remediation in production environments handling sensitive analytical data.

Information Disclosure IBM Planning Analytics Local
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-0977 MEDIUM PATCH This Month

IBM CICS Transaction Gateway for Multiplatforms versions 9.3 and 10.1 contain an improper access control vulnerability (CWE-284) that allows local users to transfer or view files without authentication or authorization checks. An attacker with local system access can exploit this flaw to read sensitive data or modify files, resulting in confidentiality and integrity compromise with a CVSS base score of 5.1. This vulnerability affects a critical middleware component used in enterprise transaction processing environments.

IBM Authentication Bypass
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-13212 MEDIUM PATCH This Month

IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.

Denial Of Service IBM Aspera Console
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13459 LOW PATCH Monitor

IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.

Denial Of Service IBM
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-13460 MEDIUM PATCH This Month

IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.

IBM Information Disclosure Aspera Console
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-36368 MEDIUM PATCH This Month

SQL injection vulnerability in IBM Sterling B2B Integrator and Sterling File Gateway that allows authenticated administrative users to execute arbitrary SQL commands against the backend database. An attacker with admin privileges can view, add, modify, or delete sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 6.5 (Medium) due to high impact on confidentiality and integrity; no active exploitation in the wild or public POC has been reported at this time.

IBM SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2023-40693 MEDIUM PATCH This Month

This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI. An attacker with valid credentials can craft malicious payloads that execute in the context of other users' sessions, potentially leading to credential theft, session hijacking, or unauthorized actions within a trusted environment. With a CVSS score of 5.4 and requiring low attack complexity plus user interaction (clicking a malicious link), this vulnerability poses a moderate risk primarily in environments where user trust is high and credentials are valuable.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14483 MEDIUM PATCH This Month

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain an information disclosure vulnerability (CWE-201) that allows authenticated users to obtain sensitive host information through application responses, which could facilitate further attacks against the system. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version branches, with a CVSS score of 4.3 indicating low severity but meaningful confidentiality impact. While the CVSS score is moderate, the requirement for authentication and lack of active exploitation reporting (KEV status unknown) suggest this is a lower-priority vulnerability compared to unauthenticated remote code execution issues, though it remains a valid security concern requiring patching.

Information Disclosure IBM
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14504 MEDIUM PATCH This Month

This is a stored cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript into the Web UI, potentially compromising session security and enabling credential theft. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version ranges, and while not yet listed as actively exploited in known vulnerability databases, the authentication requirement and UI-based attack surface present a moderate real-world risk for enterprises running these B2B integration platforms.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0835 MEDIUM PATCH This Month

This is a stored or reflected cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially compromising credentials and session integrity. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple release lines. While the CVSS score of 5.4 is moderate and exploitation requires authenticated access, the ability to alter UI functionality and exfiltrate credentials within a trusted session poses a real insider threat risk.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13702 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can alter application functionality and potentially exfiltrate sensitive data (including credentials) from trusted user sessions. A patch is available from IBM; exploitation requires user interaction (UI:R) but no elevated privileges.

XSS IBM
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13718 LOW PATCH Monitor

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.

Information Disclosure IBM
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-13723 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13726 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an information disclosure vulnerability where detailed technical error messages are returned to remote attackers without authentication, exposing sensitive system information that can be leveraged for reconnaissance and follow-up attacks. With a CVSS score of 5.3 and low attack complexity requiring no privileges, this vulnerability poses a moderate risk as an information gathering vector in multi-stage attack campaigns, though direct exploitation impact is limited to confidentiality.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14811 LOW PATCH Monitor

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in...

Information Disclosure IBM
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-13213 MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2713 HIGH This Week

IBM Trusteer Rapport 3.5.2309.290 contains an insecure DLL search path vulnerability that allows local attackers to execute arbitrary code by planting a malicious file in a compromised directory. The attack requires local system access but no user interaction or elevated privileges, making it exploitable by any local user. No patch is currently available for this high-severity vulnerability.

IBM RCE
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-36227 MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36226 MEDIUM This Month

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13219 MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to information disclosure if unauthorized parties have access to the URLs via serve (CVSS 5.9).

IBM Information Disclosure Aspera Orchestrator
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-36105 MEDIUM This Month

IBM Planning Analytics Advanced Certified Containers 3.1.0 versions up to 3.1.4 contains a vulnerability that allows attackers to a local privileged user to obtain sensitive information from environment variabl (CVSS 4.4).

IBM Information Disclosure
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1713 MEDIUM This Month

Improper use of cryptographic functions in IBM MQ versions 9.1 through 9.4 allows local attackers with user privileges to modify message integrity through user interaction. The vulnerability affects multiple LTS and CD releases across the supported product line, with no patch currently available. An attacker could manipulate messages in transit to alter their content without detection.

IBM Mq
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-1567 HIGH This Week

Infosphere Information Server versions up to 11.7.1.6 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM XXE Infosphere Information Server
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-14480 MEDIUM This Month

Aspera Faspio Gateway versions up to 1.3.6 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.1).

IBM Aspera Faspio Gateway
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-14456 MEDIUM This Month

Mq Appliance versions up to 9.4.4.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.9).

IBM Mq Appliance
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-13688 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-13687 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-13686 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the job subroutine component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2606 MEDIUM This Month

Improper input validation in IBM webMethods API Gateway and API Management allows authenticated attackers to read arbitrary files on the server by supplying a file:// URI to the /createapi endpoint instead of the expected https:// schema. Affected versions include webMethods API Gateway 10.11 through 11.1_Fix7 and webMethods API Management on-premises installations. No patch is currently available for this medium-severity vulnerability.

IBM Webmethods Api Gateway
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1265 MEDIUM This Month

Infosphere Information Server versions up to 11.7.1.6 is affected by insertion of sensitive information into log file (CVSS 4.3).

IBM Infosphere Information Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-36364 MEDIUM This Month

IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system. [CVSS 6.2 MEDIUM]

IBM Devops Plan
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-36363 MEDIUM This Month

Devops Plan versions up to 3.0.5 is affected by improper restriction of excessive authentication attempts (CVSS 5.9).

IBM Devops Plan
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-14923 MEDIUM This Month

Websphere Application Server versions up to 26.0.0.2 is affected by use of hard-coded cryptographic key (CVSS 4.7).

IBM Websphere Application Server
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-14604 MEDIUM This Month

IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to be executed by unintended actors. [CVSS 6.6 MEDIUM]

IBM Storage Scale
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-13734 MEDIUM This Month

Engineering Requirements Management Doors Next versions up to 7.1 is affected by missing authorization (CVSS 5.4).

IBM Engineering Requirements Management Doors Next
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13616 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system. [CVSS 6.5 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13490 MEDIUM This Month

IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive...

IBM App Connect Enterprise Certified Containers Operands App Connect Operator
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-13689 HIGH This Week

Datastage On Cloud Pak For Data is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-13333 MEDIUM This Month

IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings. [CVSS 4.4 MEDIUM]

IBM Websphere Application Server
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-36348 MEDIUM This Month

Sterling B2B Integrator versions up to 6.1.2.7 is affected by error message information leak (CVSS 4.9).

IBM Sterling B2b Integrator Sterling File Gateway
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-36183 LOW Monitor

Watsonx.Data versions up to 2.2.1 is affected by unrestricted upload of file with dangerous type (CVSS 3.8).

IBM
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-33135 MEDIUM This Month

IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-33088 HIGH This Week

Concert versions up to 2.1.0 is affected by incorrect permission assignment for critical resource (CVSS 7.4).

IBM Concert
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2023-38005 MEDIUM This Month

IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls. [CVSS 4.3 MEDIUM]

IBM Cloud Pak System
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-36377 MEDIUM This Month

IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]

IBM Qradar Edr
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36376 MEDIUM This Month

Security Qradar Edr versions up to 3.12.23 is affected by insufficient session expiration (CVSS 6.3).

IBM Security Qradar Edr
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-14289 MEDIUM This Month

IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]

IBM Webmethods Integration Server
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13691 HIGH This Week

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system. [CVSS 8.1 HIGH]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-36243 MEDIUM This Month

IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. [CVSS 5.4 MEDIUM]

IBM SSRF Concert
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-33130 MEDIUM This Month

IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. [CVSS 6.5 MEDIUM]

IBM Linux Windows Denial Of Service Db2 Merge Backup
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-33124 MEDIUM This Month

Db2 Merge Backup versions up to 12.1.0.0 is affected by incorrect calculation of buffer size (CVSS 6.5).

IBM Linux Windows Denial Of Service Db2 Merge Backup
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-33101 MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to obtain sensitive information using man in the middle techniques due to improper (CVSS 5.9).

IBM Concert
NVD
CVSS 3.1
5.9
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in IBM Verify Identity Access and IBM Security Verify Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both container and non-container deployments) allows remote attackers to gain unauthorized access under specific high-load conditions without authentication. The vulnerability carries an EPSS score indicating moderate exploitation probability, with vendor patch available but no confirmed active exploitation or public proof-of-concept at time of analysis. Attack complexity is rated high (AC:H), suggesting exploitation requires specific timing or environmental conditions related to load stress.

IBM Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.

IBM XSS
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

SQL injection in IBM Storage Protect Server 8.2.0 and Storage Protect Plus Server allows authenticated remote attackers to execute arbitrary SQL commands against the back-end database, enabling unauthorized data access, modification, or deletion. The vulnerability requires low attack complexity and low-level privileges (CVSS 7.6, PR:L), making it exploitable by any authenticated user. No public exploit identified at time of analysis, though SQL injection techniques are well-documented. EPSS data not provided, but SQL injection vulnerabilities historically see moderate exploitation rates when authentication barriers are low.

IBM SQLi
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in p11-kit's PKCS#11 RPC client allows a malicious remote token to trigger a NULL pointer dereference or undefined behavior in applications consuming derive-key operations. The flaw is reachable when an application calls C_DeriveKey against a remote token using IBM Kyber or IBM BTC derive mechanisms whose parameters are NULL, with the RPC client returning an uninitialized value. EPSS is low (0.10%) and no public exploit identified at time of analysis; SSVC marks exploitation as none but automatable.

IBM Denial Of Service Memory Corruption +6
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

IBM Knowledge Catalog Standard Cartridge versions 5.0.0 through 5.2.1 improperly store sensitive information in log files that can be read by local privileged users. An attacker with high privileges on the affected system can access these logs to disclose confidential data without requiring user interaction. While no active exploitation in the wild or public proof-of-concept has been reported, a vendor patch is available and should be applied promptly.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

IBM Maximo Application Suite Monitor Component versions 8.10, 8.11, 9.0, and 9.1 contain an improper neutralization vulnerability in log file handling that allows unauthorized users to inject arbitrary data into log messages. An attacker with local access can manipulate log entries to inject malicious content, potentially leading to log tampering and integrity compromise. While the CVSS score of 4.0 reflects low severity with no confidentiality or availability impact, the vulnerability requires no authentication or special privileges, making it a concern for environments with local access controls.

IBM Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

XSS IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to send unauthorized requests from the affected system. This could enable network enumeration, lateral movement, or facilitate secondary attacks against internal systems. The vulnerability requires valid authentication credentials but presents moderate risk with a CVSS score of 5.4 and has an available patch from IBM.

IBM SSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability caused by improper handling of JSON server responses, allowing authenticated attackers to expose sensitive data. The vulnerability requires low-complexity network access with valid credentials but does not require user interaction, making it accessible to any authenticated user with network connectivity. No evidence of active exploitation in the wild has been identified, though a patch is available from the vendor.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter application functionality and potentially steal session credentials or perform actions on behalf of other users within a trusted browser session. A patch is available from IBM, and the vulnerability has a CVSS score of 5.4 with moderate real-world risk due to the requirement for prior authentication and user interaction.

IBM XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to steal session tokens, capture credentials entered by other users, or perform actions on behalf of compromised administrators within a trusted session, potentially leading to unauthorized access to sensitive data integration and metadata management systems.

IBM XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 suffer from improper buffer resource clearing that allows local attackers to read sensitive information directly from process memory without requiring privileges or user interaction. This information disclosure vulnerability (CVSS 6.2) affects IBM Concert across multiple versions and has a vendor patch available, though no evidence of active exploitation or public proof-of-concept has been reported in the provided intelligence.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain a missing function-level access control vulnerability that allows local users to obtain sensitive information without authentication. An attacker with local system access can bypass authorization checks to read confidential data stored within the application. While the CVSS score of 5.1 indicates moderate severity, the lack of authentication requirements and local attack vector present a meaningful risk in multi-tenant or shared system environments.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain an improper channel communication restriction vulnerability that allows privileged users to perform unauthorized actions by bypassing intended endpoint controls. The vulnerability, classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), has a CVSS score of 5.1 with medium integrity impact and is not currently listed in CISA's Known Exploited Vulnerabilities catalog, though a vendor patch is available.

IBM Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a cross-site request forgery (CSRF) vulnerability in the DataStage Flow Designer component that allows unauthenticated attackers to trigger unauthorized state-changing actions on behalf of authenticated users. The vulnerability has a CVSS score of 4.3 with low attack complexity and no privileges required, though it requires user interaction (UI:R). A vendor patch is available, and this represents an integrity-focused attack vector rather than confidentiality or availability impact.

IBM CSRF
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 store user credentials and other sensitive information in plain text, allowing local users to read this data. This is a high-severity information disclosure vulnerability with a CVSS score of 7.1, primarily due to the potential for complete confidentiality breach across security boundaries. A patch is available from IBM, and there is no evidence of active exploitation or public proof-of-concept at this time.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

IBM Infosphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored cross-site scripting (XSS) vulnerability in the Web UI that allows privileged users to inject arbitrary JavaScript code, potentially leading to credential disclosure and session compromise. While a vendor patch is available, the attack requires high privileges and user interaction, resulting in a moderate CVSS score of 4.8. This vulnerability does not appear to have active exploitation in the wild or public proof-of-concept code, but should be prioritized for organizations running vulnerable versions in security-sensitive environments.

IBM XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with low privileges to access sensitive information they should not be authorized to view. An attacker on the same network segment with valid user credentials can bypass authorization controls to read confidential data, though they cannot modify or delete information. A vendor patch is available, and this vulnerability should be prioritized for organizations running affected versions as it enables privilege escalation and data exfiltration within trusted network environments.

IBM Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability (CWE-209) that allows authenticated attackers to access sensitive information over the network without user interaction. The vulnerability has a CVSS score of 4.3 with low attack complexity and low privileges required, meaning any logged-in user can exploit it. A vendor patch is available, reducing immediate risk for organizations that can deploy updates promptly.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to send unauthorized requests from the vulnerable system. This enables network enumeration, lateral movement, or facilitation of secondary attacks against internal or external resources. The vulnerability requires valid credentials to exploit but carries moderate real-world risk given the CVSS 5.4 score and the authenticated attack vector.

IBM SSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 are vulnerable to privilege escalation due to improper access control (CWE-200: Information Exposure). A privileged user with existing authenticated access to the application server can exploit this vulnerability to gain additional unauthorized access to sensitive resources, potentially leading to information disclosure and integrity violations. While a CVSS score of 6.5 indicates moderate severity, the vulnerability requires high privileges to trigger (PR:H) and has no user interaction requirement, making it exploitable by insiders or compromised administrative accounts.

IBM Privilege Escalation Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 fail to invalidate user sessions when administrative privileges are revoked, allowing authenticated users to retain access to sensitive information they should no longer be able to access. The vulnerability affects the session management layer and requires an authenticated attacker with initial system access. A patch is available from IBM, and this represents a privilege escalation and information disclosure risk in enterprise data integration environments.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a server-side request forgery (SSRF) vulnerability that allows authenticated remote attackers to send unauthorized requests from the vulnerable system. This exposure could enable network enumeration, internal service discovery, or facilitate secondary attacks against internal infrastructure. A patch is available from IBM, and the vulnerability requires authenticated access (PR:L) but has low attack complexity, making it a medium-priority issue for organizations running affected Liberty instances.

IBM SSRF
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability where sensitive data is exposed through HTTP GET query strings, allowing attackers with low privileges and network access to obtain confidential information via man-in-the-middle techniques. The CVSS score of 3.1 reflects low severity due to high attack complexity and limited privileges required, though the vulnerability has a patch available from IBM and represents a classic cleartext credential exposure risk in enterprise data integration platforms.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a credential protection vulnerability that allows authenticated attackers to extract sensitive information without requiring user interaction. An attacker with valid login credentials can exploit insufficiently protected credential storage mechanisms to obtain additional sensitive data, compromising confidentiality. A patch is available from IBM, and this vulnerability affects enterprise data integration infrastructure used by organizations managing information governance and metadata.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.

IBM Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain an information disclosure vulnerability where sensitive configuration data is stored in plaintext or insufficiently protected files readable by unprivileged local users. An attacker with local filesystem access can read these configuration files to extract sensitive information such as credentials, API keys, or system parameters, potentially enabling lateral movement or further compromise of the SIEM infrastructure. A patch is available from IBM, and this vulnerability should be prioritized for organizations running affected QRadar versions as SIEM systems are high-value targets.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-tenant information disclosure vulnerability that allows an authenticated attacker with access to one tenant account to retrieve hostname data belonging to other tenants. The vulnerability has a CVSS score of 5.0 with low attack complexity and requires only user-level privileges, making it a practical risk in multi-tenant deployments. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept code.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM QRadar SIEM contains a reflected or stored cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code, potentially altering system functionality and compromising the integrity of security monitoring. The vulnerability affects QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14. An attacker with valid credentials can craft malicious payloads to execute client-side code in the context of other users' sessions, leading to session hijacking, credential theft, or unauthorized configuration changes. A patch is available from IBM, and this vulnerability is not currently listed in CISA's KEV catalog, suggesting limited evidence of active exploitation in the wild at this time.

IBM XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter UI functionality and potentially steal session credentials or perform actions on behalf of the victim user within their trusted session. A patch is available from the vendor, though no public exploitation toolkit or widespread active exploitation has been reported at the time of this analysis.

IBM XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain an authentication bypass vulnerability that allows remote unauthenticated attackers to view and delete business partners within communities, as well as delete entire communities. Multiple versions are affected including 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0. While the CVSS score is 7.1 (High), the vulnerability requires low attack complexity and no user interaction, making it straightforward to exploit over the network with low privileges.

IBM Authentication Bypass Sterling B2b Integrator
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash the application by sending a specially crafted request. The vulnerability affects multiple versions of both products (6.1.0.0 through 6.2.2.0 ranges) and has a high CVSS score of 7.5 due to its network-based attack vector requiring no authentication or user interaction. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept availability at this time.

IBM Command Injection Sterling B2b Integrator
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Microsoft IBM Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A resource exhaustion vulnerability in IBM i 7.6 allows unauthenticated remote attackers to cause a denial of service by overwhelming the system with failed authentication attempts. The vulnerability stems from improper resource allocation during authentication processing, enabling attackers to consume system resources without valid credentials. While no active exploitation or proof-of-concept has been reported, the high CVSS score of 7.5 reflects the ease of remote exploitation without authentication.

IBM Denial Of Service
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) that allows authenticated users to access sensitive application data and administrative functionalities beyond their authorization level. An attacker with valid credentials can leverage this flaw to read confidential planning and analytics data, escalate privileges, or access administrative functions without proper authorization. A vendor patch is available, and this represents a moderate-to-high risk for organizations running affected versions in production environments.

Authentication Bypass IBM Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain a cache poisoning vulnerability (CWE-524) where attackers can manipulate the caching mechanism to store and serve sensitive, user-specific responses as publicly cacheable resources, resulting in information disclosure to unauthorized users. The vulnerability requires low attack complexity and user interaction but only affects confidentiality with a CVSS score of 5.7. A patch is available from the vendor, and this represents a moderate-priority issue requiring prompt remediation in production environments handling sensitive analytical data.

Information Disclosure IBM Planning Analytics Local
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

IBM CICS Transaction Gateway for Multiplatforms versions 9.3 and 10.1 contain an improper access control vulnerability (CWE-284) that allows local users to transfer or view files without authentication or authorization checks. An attacker with local system access can exploit this flaw to read sensitive data or modify files, resulting in confidentiality and integrity compromise with a CVSS base score of 5.1. This vulnerability affects a critical middleware component used in enterprise transaction processing environments.

IBM Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.

Denial Of Service IBM Aspera Console
NVD VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.

Denial Of Service IBM
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.

IBM Information Disclosure Aspera Console
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

SQL injection vulnerability in IBM Sterling B2B Integrator and Sterling File Gateway that allows authenticated administrative users to execute arbitrary SQL commands against the backend database. An attacker with admin privileges can view, add, modify, or delete sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 6.5 (Medium) due to high impact on confidentiality and integrity; no active exploitation in the wild or public POC has been reported at this time.

IBM SQLi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI. An attacker with valid credentials can craft malicious payloads that execute in the context of other users' sessions, potentially leading to credential theft, session hijacking, or unauthorized actions within a trusted environment. With a CVSS score of 5.4 and requiring low attack complexity plus user interaction (clicking a malicious link), this vulnerability poses a moderate risk primarily in environments where user trust is high and credentials are valuable.

XSS IBM
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain an information disclosure vulnerability (CWE-201) that allows authenticated users to obtain sensitive host information through application responses, which could facilitate further attacks against the system. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version branches, with a CVSS score of 4.3 indicating low severity but meaningful confidentiality impact. While the CVSS score is moderate, the requirement for authentication and lack of active exploitation reporting (KEV status unknown) suggest this is a lower-priority vulnerability compared to unauthenticated remote code execution issues, though it remains a valid security concern requiring patching.

Information Disclosure IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

This is a stored cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript into the Web UI, potentially compromising session security and enabling credential theft. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version ranges, and while not yet listed as actively exploited in known vulnerability databases, the authentication requirement and UI-based attack surface present a moderate real-world risk for enterprises running these B2B integration platforms.

XSS IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

This is a stored or reflected cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially compromising credentials and session integrity. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple release lines. While the CVSS score of 5.4 is moderate and exploitation requires authenticated access, the ability to alter UI functionality and exfiltrate credentials within a trusted session poses a real insider threat risk.

XSS IBM
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can alter application functionality and potentially exfiltrate sensitive data (including credentials) from trusted user sessions. A patch is available from IBM; exploitation requires user interaction (UI:R) but no elevated privileges.

XSS IBM
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.

Information Disclosure IBM
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an information disclosure vulnerability where detailed technical error messages are returned to remote attackers without authentication, exposing sensitive system information that can be leveraged for reconnaissance and follow-up attacks. With a CVSS score of 5.3 and low attack complexity requiring no privileges, this vulnerability poses a moderate risk as an information gathering vector in multi-stage attack campaigns, though direct exploitation impact is limited to confidentiality.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in...

Information Disclosure IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

IBM Trusteer Rapport 3.5.2309.290 contains an insecure DLL search path vulnerability that allows local attackers to execute arbitrary code by planting a malicious file in a compromised directory. The attack requires local system access but no user interaction or elevated privileges, making it exploitable by any local user. No patch is currently available for this high-severity vulnerability.

IBM RCE
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Aspera Faspex
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to information disclosure if unauthorized parties have access to the URLs via serve (CVSS 5.9).

IBM Information Disclosure Aspera Orchestrator
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

IBM Planning Analytics Advanced Certified Containers 3.1.0 versions up to 3.1.4 contains a vulnerability that allows attackers to a local privileged user to obtain sensitive information from environment variabl (CVSS 4.4).

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM This Month

Improper use of cryptographic functions in IBM MQ versions 9.1 through 9.4 allows local attackers with user privileges to modify message integrity through user interaction. The vulnerability affects multiple LTS and CD releases across the supported product line, with no patch currently available. An attacker could manipulate messages in transit to alter their content without detection.

IBM Mq
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Infosphere Information Server versions up to 11.7.1.6 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM XXE Infosphere Information Server
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Aspera Faspio Gateway versions up to 1.3.6 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.1).

IBM Aspera Faspio Gateway
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Mq Appliance versions up to 9.4.4.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.9).

IBM Mq Appliance
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the job subroutine component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper input validation in IBM webMethods API Gateway and API Management allows authenticated attackers to read arbitrary files on the server by supplying a file:// URI to the /createapi endpoint instead of the expected https:// schema. Affected versions include webMethods API Gateway 10.11 through 11.1_Fix7 and webMethods API Management on-premises installations. No patch is currently available for this medium-severity vulnerability.

IBM Webmethods Api Gateway
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Infosphere Information Server versions up to 11.7.1.6 is affected by insertion of sensitive information into log file (CVSS 4.3).

IBM Infosphere Information Server
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system. [CVSS 6.2 MEDIUM]

IBM Devops Plan
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Devops Plan versions up to 3.0.5 is affected by improper restriction of excessive authentication attempts (CVSS 5.9).

IBM Devops Plan
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Websphere Application Server versions up to 26.0.0.2 is affected by use of hard-coded cryptographic key (CVSS 4.7).

IBM Websphere Application Server
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to be executed by unintended actors. [CVSS 6.6 MEDIUM]

IBM Storage Scale
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Engineering Requirements Management Doors Next versions up to 7.1 is affected by missing authorization (CVSS 5.4).

IBM Engineering Requirements Management Doors Next
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system. [CVSS 6.5 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive...

IBM App Connect Enterprise Certified Containers Operands App Connect Operator
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Datastage On Cloud Pak For Data is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Datastage On Cloud Pak For Data
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings. [CVSS 4.4 MEDIUM]

IBM Websphere Application Server
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Sterling B2B Integrator versions up to 6.1.2.7 is affected by error message information leak (CVSS 4.9).

IBM Sterling B2b Integrator Sterling File Gateway
NVD
EPSS 0% CVSS 3.8
LOW Monitor

Watsonx.Data versions up to 2.2.1 is affected by unrestricted upload of file with dangerous type (CVSS 3.8).

IBM
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Concert versions up to 2.1.0 is affected by incorrect permission assignment for critical resource (CVSS 7.4).

IBM Concert
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls. [CVSS 4.3 MEDIUM]

IBM Cloud Pak System
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]

IBM Qradar Edr
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Security Qradar Edr versions up to 3.12.23 is affected by insufficient session expiration (CVSS 6.3).

IBM Security Qradar Edr
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]

IBM Webmethods Integration Server
NVD
EPSS 0% CVSS 8.1
HIGH This Week

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system. [CVSS 8.1 HIGH]

IBM Datastage On Cloud Pak For Data
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. [CVSS 5.4 MEDIUM]

IBM SSRF Concert
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. [CVSS 6.5 MEDIUM]

IBM Linux Windows +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Db2 Merge Backup versions up to 12.1.0.0 is affected by incorrect calculation of buffer size (CVSS 6.5).

IBM Linux Windows +2
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to obtain sensitive information using man in the middle techniques due to improper (CVSS 5.9).

IBM Concert
NVD
Prev Page 3 of 62 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy