160
CVEs
34
Critical
45
High
0
KEV
0
PoC
29
Unpatched C/H
63.1%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
34
HIGH
45
MEDIUM
78
LOW
1
Monthly CVE Trend
Affected Products (30)
Websphere Application Server
246
Db2
212
Maximo Asset Management
149
Infosphere Information Server
145
Sterling B2b Integrator
144
Qradar Security Information And Event Manager
128
Websphere Portal
104
Rational Doors Next Generation
98
Rational Quality Manager
94
Rational Engineering Lifecycle Manager
83
Rational Team Concert
83
Aix
82
Security Guardium
81
Java
80
Business Process Manager
76
Sterling File Gateway
76
Rational Collaborative Lifecycle Management
68
Vios
67
Open Redirect
65
Cognos Analytics
63
Smartcloud Control Desk
62
Security Key Lifecycle Manager
58
Security Verify Access
56
Websphere Mq
54
Rational Rhapsody Design Manager
53
Api Connect
53
Windows
52
Urbancode Deploy
51
Rational Software Architect Design Manager
50
Concert
50
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-10561 | Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242. | CRITICAL | 10.0 | 0.5% | 51 |
|
| CVE-2026-10134 | Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV. | CRITICAL | 10.0 | 0.3% | 50 |
No patch
|
| CVE-2026-10109 | Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake. Because the flaw is reachable before any login, any client able to reach the database listener can trigger it, and the CVSS 3.1 base score of 9.8 reflects full compromise of confidentiality, integrity, and availability. No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV. | CRITICAL | 9.8 | 0.9% | 50 |
No patch
|
| CVE-2026-7873 | Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-system commands and read sensitive files such as stored credentials, escalating from low-privileged application access to full host compromise. Rated CVSS 9.9 with a scope-changing vector, the flaw enables lateral movement once an attacker holds any valid Langflow account. No public exploit identified at time of analysis, but a vendor patch is available. | CRITICAL | 9.9 | 0.3% | 50 |
|
| CVE-2026-13772 | Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments. | CRITICAL | 9.9 | 0.3% | 50 |
|
| CVE-2026-9074 | Unauthenticated SQL injection in IBM API Connect's password reset functionality allows remote attackers to inject arbitrary SQL against the backing database without credentials, affecting versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. With a CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and total technical impact, exploitation can lead to full compromise of confidentiality, integrity, and availability of the API management data store. No public exploit identified at time of analysis, and EPSS remains low (0.44%), but IBM has released patches and CISA's SSVC flags the flaw as automatable with total impact. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2026-7871 | Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2026-8175 | Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target. | CRITICAL | 9.8 | 0.4% | 49 |
No patch
|
| CVE-2026-9072 | Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2026-3144 | Authentication bypass via default credentials in IBM API Connect 12.1.0.0 through 12.1.0.3 lets remote unauthenticated attackers log in with vendor-shipped default credentials during the window before the system forces a credential change on first use. Rated CVSS 9.8 with total confidentiality, integrity, and availability impact, the flaw grants full access to the API management platform. There is no public exploit identified at time of analysis and SSVC reports no observed exploitation, but the low attack complexity and known-credential nature make opportunistic abuse of freshly deployed instances plausible. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2026-7803 | Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the host by submitting flow definitions containing nodes with missing or empty component type fields. The improper input validation (CWE-20) lets malformed node specifications bypass type checks and reach unsafe execution paths in the low-code AI workflow engine. The CVSS vector (AV:N/PR:N) indicates network-reachable, pre-authentication exploitation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2026-11541 | HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-7524 | Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-7664 | Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected Model Context Protocol (MCP) project resources and invoke MCP operations through the Streamable MCP transport endpoint. The CVSS 9.8 rating reflects unauthenticated network exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-7663 | Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.24%, 15th percentile), indicating exploitation has not yet become widespread. | CRITICAL | 9.8 | 0.2% | 49 |
|