IBM IBM

  1. Vendors
  2. IBM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any IBM product.

RSS Feeds for IBM security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by IBM Sorted by Most Security Vulnerabilities since 2018

IBM I289 vulnerabilities

IBM WebSphere Application Server135 vulnerabilities

IBM Rational Quality Manager132 vulnerabilities

IBM Sterling B2b Integrator131 vulnerabilities

IBM Db2127 vulnerabilities

IBM Infosphere Information Server126 vulnerabilities

IBM Aix124 vulnerabilities

IBM Rational Doors Next Generation95 vulnerabilities

IBM Cognos Analytics95 vulnerabilities

IBM Rational Collaborative Lifecycle Management89 vulnerabilities

IBM Security Guardium84 vulnerabilities

IBM Rational Engineering Lifecycle Manager81 vulnerabilities

IBM Maximo Asset Management78 vulnerabilities

IBM Api Connect75 vulnerabilities

IBM Vios73 vulnerabilities

IBM Security Verify Access71 vulnerabilities

IBM Mq67 vulnerabilities

IBM Qradar Security Information Event Manager65 vulnerabilities

IBM Rational Team Concert65 vulnerabilities

IBM Sterling File Gateway52 vulnerabilities

IBM Business Automation Workflow51 vulnerabilities

IBM Security Access Manager49 vulnerabilities

IBM Security Verify Access Docker48 vulnerabilities

IBM Cloud Pak For Security48 vulnerabilities

IBM Cognos Controller48 vulnerabilities

IBM Rational Rhapsody Design Manager47 vulnerabilities

IBM Concert46 vulnerabilities

IBM Aspera Faspex44 vulnerabilities

IBM Spectrum Scale42 vulnerabilities

IBM Urbancode Deploy42 vulnerabilities

IBM Mq Appliance41 vulnerabilities

IBM Security Key Lifecycle Manager41 vulnerabilities

IBM Planning Analytics41 vulnerabilities

IBM Robotic Process Automation40 vulnerabilities

IBM Security Identity Governance Intelligence37 vulnerabilities

IBM Engineering Lifecycle Optimization Publishing36 vulnerabilities

IBM Engineering Lifecycle Optimization34 vulnerabilities

IBM Business Process Manager33 vulnerabilities

IBM Rational Software Architect Design Manager32 vulnerabilities

IBM Maximo Application Suite31 vulnerabilities

IBM Engineering Lifecycle Management31 vulnerabilities

IBM Cics Tx31 vulnerabilities

IBM Jazz Reporting Service29 vulnerabilities

IBM Qradar Siem29 vulnerabilities

IBM Planning Analytics Local29 vulnerabilities

IBM Spectrum Protect Plus27 vulnerabilities

IBM Cloud Pak System27 vulnerabilities

IBM Financial Transaction Manager26 vulnerabilities

IBM Content Navigator26 vulnerabilities

IBM Engineering Workflow Management25 vulnerabilities

IBM Engineering Test Management25 vulnerabilities

IBM Cloud Pak Business Automation24 vulnerabilities

IBM Qradar Suite23 vulnerabilities

IBM Concert Software23 vulnerabilities

IBM Security Identity Manager22 vulnerabilities

IBM Openpages With Watson22 vulnerabilities

IBM Infosphere Information Server On Cloud22 vulnerabilities

IBM Spectrum Protect21 vulnerabilities

IBM Bigfix Platform20 vulnerabilities

IBM Robotic Process Automation Cloud Pak20 vulnerabilities

IBM Controller20 vulnerabilities

IBM Curam Social Program Management20 vulnerabilities

IBM Security Verify Information Queue19 vulnerabilities

IBM Sterling Secure Proxy19 vulnerabilities

IBM Sterling Partner Engagement Manager19 vulnerabilities

IBM Websphere Mq19 vulnerabilities

IBM Aspera Console18 vulnerabilities

IBM Security Secret Server18 vulnerabilities

IBM Security Verify Governance18 vulnerabilities

IBM Informix Dynamic Server18 vulnerabilities

IBM Websphere Portal18 vulnerabilities

IBM Engineering Lifecycle Optimization Engineering Insights18 vulnerabilities

IBM App Connect Enterprise17 vulnerabilities

IBM Security Qradar Edr16 vulnerabilities

IBM Security Directory Server16 vulnerabilities

IBM Security Guardium Key Lifecycle Manager16 vulnerabilities

IBM Datacap16 vulnerabilities

IBM Powervm Hypervisor16 vulnerabilities

IBM Applinx15 vulnerabilities

IBM Datacap Navigator15 vulnerabilities

IBM Jazz For Service Management14 vulnerabilities

IBM Txseries For Multiplatforms14 vulnerabilities

IBM Doors Next14 vulnerabilities

IBM Control Desk14 vulnerabilities

IBM App Connect Enterprise Certified Container13 vulnerabilities

IBM Entirex13 vulnerabilities

Known Exploited IBM Vulnerabilities

The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
CVE-2022-47986 Exploit Probability: 94.3% 		February 21, 2023
IBM InfoSphere BigInsights Invalid Input Vulnerability Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data.
CVE-2013-3993 Exploit Probability: 21.0% 		May 25, 2022
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands
CVE-2015-7450 Exploit Probability: 93.5% 		January 10, 2022
IBM Data Risk Manager Arbritary File Download IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
CVE-2020-4430 Exploit Probability: 84.3% 		November 3, 2021
IBM Data Risk Manager Authentication Bypass IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
CVE-2020-4427 Exploit Probability: 92.7% 		November 3, 2021
IBM Data Risk Manager Command Injection IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
CVE-2020-4428 Exploit Probability: 92.3% 		November 3, 2021
IBM Planning Analytics configuration overwrite vulnerability IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
CVE-2019-4716 Exploit Probability: 91.5% 		November 3, 2021

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2013-3993: IBM InfoSphere BigInsights Invalid Input Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 128 vulnerabilities in IBM with an average score of 5.8 out of ten. Last year, in 2025 IBM had 563 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.42




Year Vulnerabilities Average Score
2026 128 5.84
2025 563 6.26
2024 503 6.44
2023 357 6.80
2022 327 6.36
2021 443 6.10
2020 353 6.19
2019 454 6.14
2018 451 6.24

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-0977 Mar 13, 2026
IBM CICS TG Multi 9.3/10.1 Access Control Flaw Enables File Transfer/View IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
Cics Transaction Gateway
CVE-2025-13212 Mar 13, 2026
IBM Aspera Console 3.3.0-3.4.8 Authenticated Email Service DoS IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
Aspera Console
CVE-2025-13459 Mar 13, 2026
IBM Aspera Console 3.3.0-3.4.8 Privileged DoS via Workflow Enforcement IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.
Aspera Console
CVE-2025-13460 Mar 13, 2026
IBM Aspera Console 3.3.0-3.4.8 Username Enum via Response Discrepancy IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
Aspera Console
CVE-2025-36368 Mar 13, 2026
IBM Sterling B2B File GW 6.x6.2.1.1_1 SQLi IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, and 6.2.1.0 through 6.2.1.1_1 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Sterling B2b Integrator
CVE-2023-40693 Mar 13, 2026
IBM Sterling B2B Intgr/SG 6.x: Web UI XSS IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, and 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
CVE-2025-14483 Mar 13, 2026
IBM Sterling B2B/File Gateway 6.x Info Disclosure to Authenticated Users IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could disclose sensitive host information to authenticated users in responses that could be used in further attacks against the system.
Sterling B2b Integrator
CVE-2025-14504 Mar 13, 2026
CVE-2025-14504 IBM Sterling B2B Integrator/XG XSS in Web UI (6.1.06.2.2.0) IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
CVE-2026-0835 Mar 13, 2026
XSS in IBM Sterling B2B Integrator 6.1-6.2.2: UI code injection IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
CVE-2025-13702 Mar 13, 2026
IBM SPM XSS Vulnerability in 6.2.3.0-6.2.4.2 Authenticated JS Injection IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling Partner Engagement Manager
CVE-2025-13718 Mar 13, 2026
IBM Sterling PEngMgr 6.2.3.x-6.2.4.2 Cleartext Leak via Unencrypted Comm IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.
Sterling Partner Engagement Manager
CVE-2025-13723 Mar 13, 2026
IBM Sterling Partner Eng Manager: Data Leak via Expired Token (6.2.4.2) IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
Sterling Partner Engagement Manager
CVE-2025-13726 Mar 13, 2026
IBM Sterling Partner Engagement Mgmt 6.2.3.0-6.2.4.2 RCE via Error Disclosure IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
Sterling Partner Engagement Manager
CVE-2025-14811 Mar 13, 2026
IBM Sterling PME 6.2.3/6.2.4 Sensitive Data Leakage via HTTP GET Query IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
Sterling Partner Engagement Manager
CVE-2025-13213 Mar 10, 2026
IBM Aspera Orchestrator 3.0.0-4.1.2 HTTP Header Injection IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking
Aspera Orchestrator
CVE-2025-13219 Mar 10, 2026
IBM Aspera Orchestrator URL Params 34.1.x Info Disclosure IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
Aspera Orchestrator
CVE-2025-36226 Mar 10, 2026
IBM Aspera Faspex 5.0.x Web UI XSS Authenticated User Code Exec IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Aspera Faspex 5
CVE-2025-36227 Mar 10, 2026
IBM Aspera Faspex <5.0.14.3 HTTP Header Injection Vulnerability IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Aspera Faspex 5
CVE-2026-2713 Mar 10, 2026
IBM Trusteer Rapport 3.5.2309.290 DLL Search Path Vulnerability Allows Local Code Execution IBM Trusteer Rapport installer 3.5.2309.290 IBM Trusteer Rapport could allow a local attacker to execute arbitrary code on the system, caused by DLL uncontrolled search path element vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Trusteer Rapport Installer
CVE-2025-36173 Mar 10, 2026
InfoSphere Data Architect 9.2.1 Vulnerability CVE-2025-36173 Affected Product(s)Version(s)InfoSphere Data Architect9.2.1
Infosphere Data Architect
CVE-2025-36105 Mar 10, 2026
Local Privileged Info Leak via Env Vars in IBM Planning Analytics Ac 3.1.0-4 IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.
Planning Analytics Advanced Certified Containers
CVE-2025-13686 Mar 03, 2026
IBM DataStage 5.1.2-5.3.0 Auth Cmd Exec via Job Subroutine IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the job subroutine component.
Datastage On Cloud Pak Data
CVE-2025-13687 Mar 03, 2026
IBM DataStage on Cloud Pak for Data 5.1.2-5.3.0 UDF RCE via input validation IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function component.
Datastage On Cloud Pak Data
CVE-2025-13688 Mar 03, 2026
IBM DataStage CloudPak 5.1.2-5.3.0 Cmd Injection via Wrapped Cmd Comp IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component.
Datastage On Cloud Pak Data
CVE-2025-14456 Mar 03, 2026
IBM MQ Appliance CD 9.4-9.4.4.1 Vulnerability IBM MQ Appliance 9.4 CD through 9.4.4.0 to 9.4.4.1
Mq Appliance
CVE-2025-14480 Mar 03, 2026
IBM Aspera Faspio Gateway 1.3.6 weak crypto algorithms allow decryption IBM Aspera faspio Gateway 1.3.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
Aspera Faspio Gateway
CVE-2026-1567 Mar 03, 2026
XXE in IBM InfoSphere Info Server 11.7.0.0-11.7.1.6 XML Parser IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server.
Infosphere Information Server
CVE-2026-1713 Mar 03, 2026
IBM MQ 9.x LTS Vulnerable Until 9.1.0.33,9.2.0.40,9.3.0.36,9.4.0.17 IBM MQ 9.1.0.0 through 9.1.0.33 LTS, 9.2.0.0 through 9.2.0.40 LTS, 9.3.0.0 through 9.3.0.36 LTS, 9.30.0 through 9.3.5.1 CD, 9.4.0.0 through 9.4.0.17 LTS, and 9.4.0.0 through 9.4.4.1 CD
Mq
CVE-2025-13490 Mar 03, 2026
IBM App Connect Cert Container Cleartext MITM Vulnerability CD 11.3.0-12.20.0, LTS 12.0.0-12.0.20 IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2r1 through 12.0.12.5r1 and 13.0.1.0r1 through 13.0.6.1r1, and LTS versions 12.0.12r1 through 12.0.12r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive information through maninthemiddle techniques.
App Connect Operator
App Connect Enterprisecertified Containers Operands
CVE-2025-13616 Mar 03, 2026
IBM DataStage on Cloud Pak for Data 5.1.2-5.3.0 - HTTP Resp Sensitive Disclosure IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system.
Datastage On Cloud Pak Data
CVE-2025-13734 Mar 03, 2026
IBM DOORS Next 7.1-7.2: Authenticated Permission Escalation IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions.
Engineering Requirements Management Doors Next
CVE-2025-14604 Mar 03, 2026
Storage Scale 5.2.3.0-5.2.3.5/6.0.0.0-6.0.0.1: Local Perm Escalation IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to be executed by unintended actors.
Storage Scale
CVE-2025-14923 Mar 03, 2026
IBM WebSphere Liberty 17.0-26.0 weaker security via Security Util IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings.
Websphere Application Server Liberty
CVE-2025-36363 Mar 03, 2026
IBM DevOps Plan 3.0.0-3.0.5 Weak Lockout Allows Remote Brute-Force IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
Devops Plan
CVE-2025-36364 Mar 03, 2026
IBM DevOps Plan 3.0.5 Local Cache Leak (web page cache read by other users) IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.
Devops Plan
CVE-2026-1265 Mar 03, 2026
IBM InfoSphere Information Server 11.7.0.011.7.1.6 Log File Sensitive Data Leak IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to writing of sensitive Information in a log file.
Infosphere Information Server
CVE-2026-2606 Mar 03, 2026
IBM webMethods API GW 10.11-11.1 arbitrary file read via File:// /createapi IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.
Webmethods Api Gateway On Prem
CVE-2025-13333 Feb 17, 2026
IBM WebSphere Application Server 9.0/8.5 Weak Security Admin (CVE-2025-13333) IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings.
WebSphere Application Server
CVE-2025-13689 Feb 17, 2026
Arbitrary Cmd Exec via Unrestricted File Upload in IBM DataStage IBM DataStage on Cloud Pak for Data could allow an authenticated user to execute arbitrary commands and gain access to sensitive information due to unrestricted file uploads.
Datastage On Cloud Pak
CVE-2023-38005 Feb 17, 2026
IBM Cloud Pak System 2.3.3.65.0 - Auth User Bypass IA to Run Unauth Tasks IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls.
Cloud Pak System
CVE-2025-33135 Feb 17, 2026
IBM FinTransMgr Check Services v3.0.0.03.0.5.4 XSS in Web UI IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 through 3.0.5.4 Interim Fix 027 IBM Financial Transaction Manager for Check Services v3 (Multiplatforms) is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Financial Transaction Manager Ach Services Check Services Multi Platform
CVE-2025-33088 Feb 17, 2026
IBM Concert 1.0.0-2.1.0 Local Privilege Escalation via Incorrect File Permissions IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file permissions for critical resources.
Concert
CVE-2025-36183 Feb 17, 2026
Upload of Malicious Files Enables Server Exec in IBM watsonx.data 2.2-2.2.1 IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data.
Watsonxdata
Watsonx Data
CVE-2025-36348 Feb 17, 2026
Info Disclosure via Detailed Errors in IBM Sterling B2B Integrator/FG 6.x IBM Sterling B2B Integrator versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 through 6.2.1.1, and IBM Sterling File Gateway versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 through 6.2.1.1 may expose sensitive information to a remote privileged attacker due to the application returning detailed technical error messages in the browser.
Sterling B2b Integrator
Sterling File Gateway
CVE-2025-36376 Feb 17, 2026
IBM QRadar EDR 3.12-3.12.23 auth session expiry bypass -> impersonation IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.
Security Qradar Edr
CVE-2025-36377 Feb 17, 2026
IBM QRadar EDR 3.12-3.12.23 Session Invalidation Flaw Enables Impersonation IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.
Security Qradar Edr
CVE-2025-36379 Feb 17, 2026
IBM QRadar EDR 3.12-3.12.23 Weak Crypto May Enable Decryption IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Security Qradar Edr
CVE-2025-13691 Feb 17, 2026
IBM DataStage Cloud Pak 5.1.25.3.0 Sensitive Data in HTTP Response IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system.
Datastage On Cloud Pak Data
CVE-2025-27898 Feb 17, 2026
DB2 Recovery Expert 5.5 Session Timeout Vulnerability (CVE-2025-27898) IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system.
Db2 Recovery Expert For Luw
CVE-2025-27899 Feb 17, 2026
Env var info leakage in IBM DB2 Recovery Expert 5.5 (Interim Fix 002) IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 discloses sensitive information in an environment variable that could aid in further attacks against the system.
Db2 Recovery Expert For Luw
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.