IBM
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any IBM product.
RSS Feeds for IBM security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by IBM Sorted by Most Security Vulnerabilities since 2018
Known Exploited IBM Vulnerabilities
The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| IBM Aspera Faspex Code Execution Vulnerability |
IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. CVE-2022-47986 Exploit Probability: 100.0% |
February 21, 2023 |
| IBM InfoSphere BigInsights Invalid Input Vulnerability |
Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data. CVE-2013-3993 Exploit Probability: 5.2% |
May 25, 2022 |
| IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. |
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands CVE-2015-7450 Exploit Probability: 97.7% |
January 10, 2022 |
| IBM Data Risk Manager Arbritary File Download |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535. CVE-2020-4430 Exploit Probability: 68.5% |
November 3, 2021 |
| IBM Data Risk Manager Authentication Bypass |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532. CVE-2020-4427 Exploit Probability: 70.0% |
November 3, 2021 |
| IBM Data Risk Manager Command Injection |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533. CVE-2020-4428 Exploit Probability: 61.7% |
November 3, 2021 |
| IBM Planning Analytics configuration overwrite vulnerability |
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. CVE-2019-4716 Exploit Probability: 86.4% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 371 vulnerabilities in IBM with an average score of 6.4 out of ten. Last year, in 2025 IBM had 563 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.17.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 371 | 6.43 |
| 2025 | 563 | 6.26 |
| 2024 | 503 | 6.44 |
| 2023 | 357 | 6.80 |
| 2022 | 327 | 6.36 |
| 2021 | 443 | 6.10 |
| 2020 | 353 | 6.19 |
| 2019 | 454 | 6.14 |
| 2018 | 451 | 6.24 |
It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-13445 | Jul 17, 2026 |
IBM Langflow OSS 1.0.01.10.1 SaveToFile Absolute Path UI BypassIBM Langflow OSS 1.0.0 through 1.10.1 can allow an authenticated attacker to exploit the SaveToFile component to read and modify another user's uploaded files by specifying absolute paths pointing to victim storage locations. In append mode, the attacker's workflow reads victim file contents, appends attacker-controlled data, and uploads a copy containing victim data to the attacker's namespace (confidentiality breach). In overwrite mode, the attacker can replace victim file contents with arbitrary data (integrity breach). This breaks the storage ownership boundary between users. |
|
| CVE-2026-13446 | Jul 17, 2026 |
IBM Langflow OSS 1.0.0-1.10.1 Hard-Coded Credential ExposureIBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
|
| CVE-2026-13448 | Jul 17, 2026 |
IBM Langflow OSS RCEx before 1.10.2 via /api/v1/build_public_tmpIBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint ( /api/v1/build_public_tmp/{flow_id}/flow ). The vulnerability stems from an incomplete denylist in the validate_public_flow_no_code_execution() function that fails to block several code-execution agent components including OpenDsStarAgent, CodeActAgentSmolagents, and CSVAgent. |
|
| CVE-2026-13473 | Jul 17, 2026 |
IBM Storage Protect Client 8.1.x-8.2.1.x Heap-BO Overflow RCEIBM Storage Protect Client 8.1.0.0 through 8.1.27.0, 8.1.27.1, and 8.2.0.0 through 8.2.1.0 IBM Storage Protect is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash. |
|
| CVE-2026-14499 | Jul 17, 2026 |
IBM Langflow OSS 1.0.0-1.10.1 Auth CmdExec via Python InterpreterIBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input in the Python Interpreter component. |
|
| CVE-2026-14501 | Jul 17, 2026 |
IBM Db2 Genius Hub 1.x Arbitrary Code Exec & Info Leak via Unsafe FunctionsIBM Db2 Genius Hub 1.1, 1.1.1, 1.1.2 and IBM Agentics 1.0 could allow an attacker to execute arbitrary code or obtain sensitive information due to the use of dangerous functions without sufficient restrictions. |
|
| CVE-2026-14971 | Jul 17, 2026 |
IBM PowerVM Novalink API Misconfig Enables Unauthorized Ops (2.3)IBM PowerVM Novalink 2.2.02.2.12.2.1.1, and 2.3.02.3.0.12.3.12.3.2 IBM NovaLink APIs misconfiguration may increase attack surface and enable unintended or unauthorized operations under non-default conditions. |
|
| CVE-2026-14979 | Jul 17, 2026 |
IBM Engineering Lifecycle Management 7.0.3-7.2.0 DOORS XML Exp. DoSIBM Engineering Lifecycle Management 7.0.3 ( Interim Fix 001 through ) Interim Fix 021, 7.1.0 ( Interim Fix 001 through ) Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 DOORS could allow a remote attacker to cause a denial of service due to improper handling of XML entity expansion. |
|
| CVE-2026-15069 | Jul 17, 2026 |
IBM Engineering AI Hub 1.x RCE via Improper Input SanitizationIBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary script code due to improper neutralization of input during web page generation. |
|
| CVE-2026-15091 | Jul 17, 2026 |
IBM Engineering AI Hub 1.x Remote Script Exec via XSSIBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary scripts due to improper neutralization of input during web page generation. |
|
| CVE-2026-15093 | Jul 17, 2026 |
IBM Engineering AI Hub v1.0-1.2: Improper URL Validation Allows Remote RedirectIBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to redirect users to malicious websites due to improper validation of user-supplied URLs. |
|
| CVE-2026-15322 | Jul 17, 2026 |
Remote Info Disclosure via Session Tokens in URLs in IBM Eng AI Hub 1.0-1.2IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to obtain sensitive information due to the exposure of session tokens in URLs. |
|
| CVE-2026-15995 | Jul 17, 2026 |
Race Condition in IBM Cognos Analytics 12.1.3 Agentic AI Report FailuresIBM Cognos Analytics 12.1.3 GA Version with build number through 12.1.3-2606251736 could allow an attacker to obtain incorrect report summary results or cause report-processing failures due to a race condition in the Agentic AI assistant's concurrent request-handling logic when multiple authenticated users submit report-related tasks simultaneously. |
|
| CVE-2026-4938 | Jul 17, 2026 |
IBM Verify Access 10.0-11.0.2 Permission Escalation via ReadOnly RightsIBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow an attacker with read-only privileges to make unauthorized modifications and deployments outside of their assigned permissions. |
And others... |
| CVE-2026-4942 | Jul 17, 2026 |
IBM i TLS Downgrade Vulnerability via Crafted Message (pre-7.7)IBM i 7.6, 7.5, 7.4, and 7.3 could allow a remote attacker to send a specifically crafted message and downgrade the Transport Layer Security (TLS) protocol to a version disabled in the server configuration. |
|
| CVE-2026-7364 | Jul 17, 2026 |
Open Redirect in IBM Verify Identity Access 11.0/10.0 (pre-11.0.2/10.0.9.1) allows phishingIBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites. |
And others... |
| CVE-2026-7667 | Jul 17, 2026 |
IBM Langflow <1.10.0 Arbitrary File Write via Malicious FlowIBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated attacker to create a malicious flow pointing to an attacker-controlled URL that returns a specially crafted Content-Disposition header (e.g., filename="../../../target/path" ), enabling arbitrary file write operations with attacker-controlled content to any path accessible by the Langflow process. |
|
| CVE-2026-7754 | Jul 17, 2026 |
IBM Langflow_OSS 1.0.0-1.10.0 SSRF via insecure default configIBM Langflow OSS 1.0.0 through 1.10.0 Langflow 1.9.0 could allow server-side request forgery (SSRF) due to insecure default configuration and incomplete enforcement of the SSRF protection mechanism. |
|
| CVE-2026-7755 | Jul 17, 2026 |
Remote Code Exec in IBM Langflow OSS 1.0-1.10.0 MCP ConfigIBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow remote code execution due to incomplete validation enforcement on MCP server configuration files. |
|
| CVE-2026-7771 | Jul 17, 2026 |
IBM Db2 DoS via Trap on Subquery Compilation (VB 11.5.x-12.1.x)IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a trap when compiling a specially crafted statements containing subqueries could lead to a denial of service. |
|
| CVE-2026-7872 | Jul 17, 2026 |
IBM Langflow OSS 1.0.0-1.10.0 Authenticated File Read & JWT ForgeryIBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated attacker to read arbitrary files including the JWT signing key and forge authentication tokens for any user. |
|
| CVE-2026-8056 | Jul 17, 2026 |
IBM Langflow OSS <1.11: Authenticated Runtime Param Override via APIIBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the `apply_tweaks()` function. |
|
| CVE-2026-8476 | Jul 17, 2026 |
IBM Langflow 1.0.0-1.10.0 RCE via AsyncDiskCache pickle.loadsIBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the disk-based caching mechanism. The AsyncDiskCache class uses Python's unsafe pickle.loads() function to deserialize cached objects from disk without validation, integrity verification, or authentication, enabling arbitrary code execution when malicious pickle payloads are processed. Attackers who can influence cached data through file system access, malicious workflow inputs, custom components, or API manipulation can achieve complete system compromise with the privileges of the Langflow server process. |
|
| CVE-2026-8481 | Jul 17, 2026 |
IBM Langflow OSS RCE in /api/v1/validate/code via exec() v1.0.01.10.0IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process. |
|
| CVE-2026-8505 | Jul 17, 2026 |
Unauthenticated Webhook RPC RCE in IBM Langflow 1.0.01.10.0IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE). |
|
| CVE-2026-8635 | Jul 17, 2026 |
Auth Escalation & RCE in IBM Langflow OSS 1.0.0-1.10.0IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipulating the database, execute arbitrary system commands, and achieve full system compromise with Langflow service permissions. |
|
| CVE-2026-8859 | Jul 17, 2026 |
IBM Langflow 1.0.0-1.10.0 APRequest CF Path Traversal File WriteIBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations due to improper input validation in the APIRequest component. A path traversal vulnerability exists when the "Save to File" feature is enabled, where filenames extracted from HTTP response Content-Disposition headers are not sanitized before being joined to the temporary directory path. An attacker controlling an external HTTP server can supply crafted filename values containing path traversal sequences (e.g., ../), enabling arbitrary file writes to locations accessible by the Langflow process. |
|
| CVE-2026-8861 | Jul 17, 2026 |
IBM Security Verify Detail Error Disclosure VulnerabilityIBM Security Verify could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. |
And others... |
| CVE-2026-9103 | Jul 17, 2026 |
IBM Langflow OSS 1.0.0-1.10.0 auto_login RCE via superuser bearer tokensIBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access. |
|
| CVE-2026-9135 | Jul 17, 2026 |
IBM Langflow OSS 1.0.0-1.10.0 ToolGuard Code Injection via Unvalidated InputIBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements. |
|
| CVE-2026-9171 | Jul 17, 2026 |
IBM PowerVM Novalink Remote DoS via Malicious RequestIBM PowerVM Novalink are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. |
|
| CVE-2026-9198 | Jul 17, 2026 |
IBM Langflow OSS 1.0-1.10 RCE via /api/v1/auto_login + validate/codeIBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments |
|
| CVE-2026-9202 | Jul 17, 2026 |
IBM Langflow OSS 1.0.0-1.10.0 Unauth Unlimited Account Creation Enables RCEIBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN. |
|
| CVE-2026-9762 | Jul 17, 2026 |
IBM Db2 RCE via User-Controlled JDBC URL (11.5.0-11.5.9,12.1.0-12.1.4)IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control. |
|
| CVE-2026-9074 | Jul 08, 2026 |
IBM API Connect 10 SQLi: password reset (v10.0.8.0-9,12.1.0.0-3)IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality. |
|
| CVE-2026-3144 | Jul 08, 2026 |
IBM API Connect 12.1.0.012.1.0.3 Default Credentials Unauth AccessIBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unauthorized access to the application before the system enforces a credential update. |
|
| CVE-2026-11541 | Jun 30, 2026 |
HTTP Req Smuggling in IBM WebSphere WSAS 8.5/9.0 & Liberty 17.0.0.3-26.0.0.6IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability. |
|
| CVE-2026-11594 | Jun 30, 2026 |
IBM WAS 9.0/8.5 XSS in Admin ConsoleIBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console. |
|
| CVE-2025-12530 | Jun 30, 2026 |
IBM watsonx.data 5.3.1 & Pre 5.3.1 Cleartext MITM VulnerabilityIBM watsonx.data intelligence 5.2.2, 5.3.0, 5.3.1, 5.3.1 through patch-1 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. |
|
| CVE-2025-36319 | Jun 30, 2026 |
IBM Watsonx.data 5.2.0-5.3.0 Throttle DoS via APIIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to cause a temporary denial using a specially crafted HTTP request due to improper allocation of resource throttling. |
|
| CVE-2025-36320 | Jun 30, 2026 |
IBM watsonx.data Stored XSS in 5.2.0-5.3.0IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
| CVE-2025-36321 | Jun 30, 2026 |
IBM watsonx.data HTML Injection in 5.2.0-5.3.0IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. |
|
| CVE-2025-36323 | Jun 30, 2026 |
IBM watsonx.data intelligence <5.3.0: CrossSite Scripting in Web UIIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
| CVE-2025-36324 | Jun 30, 2026 |
IBM Watsonx.data SSRF v5.2.0-5.3.0 Authenticated AttackIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 s vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. |
|
| CVE-2025-36327 | Jun 30, 2026 |
IBM watsonx.data 5.2-5.3 Auth Bypass via Client-side EnforcementIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of sever-side security. |
|
| CVE-2025-36328 | Jun 30, 2026 |
IBM watsonx.data 5.2.05.3.0 Err Msg LeakIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. |
|
| CVE-2025-36333 | Jun 30, 2026 |
IBM WatsonX.data 5.2-5.3: Auth.Unauth Actions w/ Improper WorkflowIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow. |
|
| CVE-2025-36336 | Jun 30, 2026 |
IBM watsonx.data MIse: Cleartext Transmission Enables MITM (pre-5.3.0)IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. |
|
| CVE-2025-36359 | Jun 30, 2026 |
IBM DevOps Automation 1.0.1 & Loop 1.0.2 Session ID Expiration BypassIBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system. |
|
| CVE-2025-36372 | Jun 30, 2026 |
IBM Db2 11.5.x/12.1.x Sensitive Info Leakage via Monitoring TablesIBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables. |
|