Skip to main content

Watsonx Data Intelligence

10 CVEs product

Monthly

CVE-2025-12530 MEDIUM PATCH This Month

Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes sensitive information to network interception by a man-in-the-middle adversary. The platform transmits certain data without encryption, enabling an attacker positioned on the network path to capture confidential content in transit. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified; however, the CVSS High confidentiality impact (C:H) signals that the interceptable data is substantively sensitive, likely including queries, credentials, or intelligence payloads.

IBM Information Disclosure Watsonx Data Intelligence
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-36319 MEDIUM PATCH This Month

Temporary denial of service in IBM watsonx.data intelligence 5.2.0 through 5.3.0 is achievable by authenticated users who submit specially crafted HTTP requests, exploiting improper resource throttling allocation (CWE-770). The impact is limited to availability - confidentiality and integrity are unaffected - and the disruption is described as temporary rather than persistent. No public exploit code or active exploitation has been identified at the time of analysis.

IBM Denial Of Service Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2025-36320 MEDIUM PATCH This Month

Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privileged users to inject persistent JavaScript into the Web UI, which then executes within the browser sessions of other authenticated users visiting the affected page. The CVSS scope change (S:C) confirms the payload crosses the security boundary from the attacker's session into victims' sessions, enabling credential harvesting within trusted contexts. No public exploit code or CISA KEV listing has been identified at time of analysis, but the stored and persistent nature of the injection elevates operational impact beyond what the 6.4 base score alone conveys.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2025-36321 MEDIUM PATCH This Month

HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to plant malicious HTML content that executes in a victim's browser within the hosting site's security context. The CVSS vector (PR:L/UI:R/C:H) confirms exploitation requires low-privilege authentication and a second user to view the injected content, with the primary impact being confidentiality loss - such as session token theft or credential harvesting. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; a vendor patch is available via IBM advisory 7277801.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
5.7
EPSS
0.4%
CVE-2025-36323 MEDIUM PATCH This Month

Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to inject arbitrary JavaScript into the Web UI, enabling credential theft or session hijacking against higher-privileged victims. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context, crossing trust boundaries within the platform. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; IBM has released a patch via advisory PSIRT.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-36324 MEDIUM PATCH This Month

Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attackers to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations. The CVSS vector (PR:L) confirms exploitation requires a valid account, but no elevated privileges are needed beyond basic authentication. Primary impact is internal network enumeration and potential pivoting to services that trust the watsonx.data host, rather than direct data exfiltration. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF IBM Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-36327 MEDIUM PATCH This Month

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-36328 MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbose error messages, giving authenticated remote attackers a reconnaissance foothold for follow-on attacks. The flaw is rooted in CWE-209 (overly informative error generation), which can expose stack traces, internal paths, backend technology details, or configuration fragments depending on what error condition is triggered. No public exploit code has been identified and no active exploitation is confirmed; the mandatory authentication barrier (PR:L) and information-only impact limit immediate blast radius, but the data gathered can materially assist more sophisticated attacks against the same system.

IBM Information Disclosure Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2025-36333 MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-36336 MEDIUM PATCH This Month

Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to interception by network-adjacent attackers using man-in-the-middle techniques. The CVSS vector (AV:N/AC:H/PR:N) confirms exploitation requires no authentication but does demand the attacker occupy a privileged on-path network position, moderating the overall risk. No public exploit code and no CISA KEV listing have been identified at time of analysis; vendor-released patch is available.

IBM Information Disclosure Watsonx Data Intelligence
NVD
CVSS 3.1
5.9
EPSS
0.2%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes sensitive information to network interception by a man-in-the-middle adversary. The platform transmits certain data without encryption, enabling an attacker positioned on the network path to capture confidential content in transit. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified; however, the CVSS High confidentiality impact (C:H) signals that the interceptable data is substantively sensitive, likely including queries, credentials, or intelligence payloads.

IBM Information Disclosure Watsonx Data Intelligence
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Temporary denial of service in IBM watsonx.data intelligence 5.2.0 through 5.3.0 is achievable by authenticated users who submit specially crafted HTTP requests, exploiting improper resource throttling allocation (CWE-770). The impact is limited to availability - confidentiality and integrity are unaffected - and the disruption is described as temporary rather than persistent. No public exploit code or active exploitation has been identified at the time of analysis.

IBM Denial Of Service Watsonx Data Intelligence
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privileged users to inject persistent JavaScript into the Web UI, which then executes within the browser sessions of other authenticated users visiting the affected page. The CVSS scope change (S:C) confirms the payload crosses the security boundary from the attacker's session into victims' sessions, enabling credential harvesting within trusted contexts. No public exploit code or CISA KEV listing has been identified at time of analysis, but the stored and persistent nature of the injection elevates operational impact beyond what the 6.4 base score alone conveys.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to plant malicious HTML content that executes in a victim's browser within the hosting site's security context. The CVSS vector (PR:L/UI:R/C:H) confirms exploitation requires low-privilege authentication and a second user to view the injected content, with the primary impact being confidentiality loss - such as session token theft or credential harvesting. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; a vendor patch is available via IBM advisory 7277801.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to inject arbitrary JavaScript into the Web UI, enabling credential theft or session hijacking against higher-privileged victims. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context, crossing trust boundaries within the platform. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; IBM has released a patch via advisory PSIRT.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attackers to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations. The CVSS vector (PR:L) confirms exploitation requires a valid account, but no elevated privileges are needed beyond basic authentication. Primary impact is internal network enumeration and potential pivoting to services that trust the watsonx.data host, rather than direct data exfiltration. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbose error messages, giving authenticated remote attackers a reconnaissance foothold for follow-on attacks. The flaw is rooted in CWE-209 (overly informative error generation), which can expose stack traces, internal paths, backend technology details, or configuration fragments depending on what error condition is triggered. No public exploit code has been identified and no active exploitation is confirmed; the mandatory authentication barrier (PR:L) and information-only impact limit immediate blast radius, but the data gathered can materially assist more sophisticated attacks against the same system.

IBM Information Disclosure Watsonx Data Intelligence
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to interception by network-adjacent attackers using man-in-the-middle techniques. The CVSS vector (AV:N/AC:H/PR:N) confirms exploitation requires no authentication but does demand the attacker occupy a privileged on-path network position, moderating the overall risk. No public exploit code and no CISA KEV listing have been identified at time of analysis; vendor-released patch is available.

IBM Information Disclosure Watsonx Data Intelligence
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy