461
CVEs
12
Critical
83
High
0
KEV
0
PoC
78
Unpatched C/H
24.1%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
12
HIGH
83
MEDIUM
338
LOW
26
Monthly CVE Trend
Affected Products (30)
Windows
51
Concert
42
Db2
40
Sterling B2b Integrator
25
Infosphere Information Server
21
Openpages With Watson
16
Sterling File Gateway
16
Controller
15
Websphere Application Server
13
Applinx
13
Entirex
13
Cognos Controller
13
Cloud Pak For Business Automation
12
Security Verify Access
10
Planning Analytics Local
10
Qradar Security Information And Event Manager
10
Linux Kernel
9
Aspera Shares
8
Aix
8
Security Qradar Edr
8
Command Injection
8
Memory Corruption
8
Db2 Recovery Expert
7
Devops Deploy
7
Cloud Pak System
7
Urbancode Deploy
7
Cognos Analytics
7
Analytics Content Hub
6
Jazz Foundation
6
Datastage On Cloud Pak For Data
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-13375 | IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 allows unauthenticated users to execute certain cryptographic operations that should require elevated privileges. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2025-25022 | Credential exposure in IBM QRadar Suite 1.10.12.0-1.11.2.0. | CRITICAL | 9.6 | 0.1% | 48 |
No patch
|
| CVE-2025-1950 | IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries of an untrusted source. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|
| CVE-2026-1346 | Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2025-42958 | Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | CRITICAL | 9.1 | 0.1% | 46 |
No patch
|
| CVE-2025-33117 | IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contains a privilege escalation vulnerability that allows authenticated administrative users to modify configuration files and upload malicious autoupdate packages, leading to arbitrary command execution with system-level privileges. This is a high-severity vulnerability (CVSS 9.1) affecting SIEM infrastructure; while it requires high privileges (PR:H), the network-accessible attack vector (AV:N) and lack of user interaction (UI:N) make it a significant risk in multi-user enterprise environments where administrative credentials may be compromised or misused. | CRITICAL | 9.1 | 0.1% | 46 |
No patch
|
| CVE-2025-36038 | IBM WebSphere Application Server (WAS) versions 8.5 and 9.0 are vulnerable to remote code execution through deserialization of untrusted serialized objects, allowing unauthenticated network attackers to execute arbitrary code with high confidence despite moderate attack complexity. This is a critical Java deserialization vulnerability (CWE-502) affecting enterprise application servers in widespread use; exploitation status and EPSS probability are not yet public but the CVSS 9.0 score and network-accessible attack vector indicate this is a priority concern for organizations running affected WAS versions. | CRITICAL | 9.0 | 0.4% | 45 |
No patch
|
| CVE-2025-36049 | CVE-2025-36049 is a security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2026-3357 | Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-36004 | CVE-2025-36004 is a privilege escalation vulnerability in IBM Facsimile Support for i affecting IBM i 7.2, 7.3, 7.4, and 7.5. The vulnerability stems from an unqualified library call that allows authenticated users to execute arbitrary code with administrator privileges. With a CVSS score of 8.8 and network accessibility, this represents a critical privilege escalation risk for organizations running affected IBM i systems. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2025-33015 | Concert versions up to 2.1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8). | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-13689 | Datastage On Cloud Pak For Data is affected by unrestricted upload of file with dangerous type (CVSS 8.8). | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-36222 | IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2025-13379 | IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. [CVSS 8.6 HIGH] | HIGH | 8.6 | 0.1% | 43 |
No patch
|
| CVE-2025-33103 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available. | HIGH | 8.5 | 0.2% | 43 |
No patch
|