IBM IBM

  1. Vendors
  2. IBM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any IBM product.

RSS Feeds for IBM security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by IBM Sorted by Most Security Vulnerabilities since 2018

IBM I290 vulnerabilities

IBM Infosphere Information Server140 vulnerabilities

IBM WebSphere Application Server136 vulnerabilities

IBM Sterling B2b Integrator133 vulnerabilities

IBM Rational Quality Manager132 vulnerabilities

IBM Db2127 vulnerabilities

IBM Aix124 vulnerabilities

IBM Rational Doors Next Generation95 vulnerabilities

IBM Cognos Analytics95 vulnerabilities

IBM Rational Collaborative Lifecycle Management89 vulnerabilities

IBM Security Guardium84 vulnerabilities

IBM Rational Engineering Lifecycle Manager81 vulnerabilities

IBM Maximo Asset Management78 vulnerabilities

IBM Api Connect75 vulnerabilities

IBM Vios73 vulnerabilities

IBM Security Verify Access71 vulnerabilities

IBM Qradar Security Information Event Manager69 vulnerabilities

IBM Mq67 vulnerabilities

IBM Rational Team Concert65 vulnerabilities

IBM Sterling File Gateway52 vulnerabilities

IBM Concert52 vulnerabilities

IBM Business Automation Workflow51 vulnerabilities

IBM Security Access Manager49 vulnerabilities

IBM Security Verify Access Docker48 vulnerabilities

IBM Cloud Pak For Security48 vulnerabilities

IBM Cognos Controller48 vulnerabilities

IBM Rational Rhapsody Design Manager47 vulnerabilities

IBM Aspera Faspex44 vulnerabilities

IBM Spectrum Scale42 vulnerabilities

IBM Urbancode Deploy42 vulnerabilities

IBM Mq Appliance41 vulnerabilities

IBM Security Key Lifecycle Manager41 vulnerabilities

IBM Planning Analytics41 vulnerabilities

IBM Robotic Process Automation40 vulnerabilities

IBM Security Identity Governance Intelligence37 vulnerabilities

IBM Engineering Lifecycle Optimization Publishing36 vulnerabilities

IBM Engineering Lifecycle Optimization34 vulnerabilities

IBM Business Process Manager33 vulnerabilities

IBM Rational Software Architect Design Manager32 vulnerabilities

IBM Maximo Application Suite31 vulnerabilities

IBM Engineering Lifecycle Management31 vulnerabilities

IBM Cics Tx31 vulnerabilities

IBM Planning Analytics Local31 vulnerabilities

IBM Jazz Reporting Service29 vulnerabilities

IBM Qradar Siem29 vulnerabilities

IBM Spectrum Protect Plus27 vulnerabilities

IBM Cloud Pak System27 vulnerabilities

IBM Financial Transaction Manager26 vulnerabilities

IBM Content Navigator26 vulnerabilities

IBM Engineering Workflow Management25 vulnerabilities

IBM Engineering Test Management25 vulnerabilities

IBM Cloud Pak Business Automation24 vulnerabilities

IBM Qradar Suite23 vulnerabilities

IBM Concert Software23 vulnerabilities

IBM Security Identity Manager22 vulnerabilities

IBM Openpages With Watson22 vulnerabilities

IBM Infosphere Information Server On Cloud22 vulnerabilities

IBM Spectrum Protect21 vulnerabilities

IBM Bigfix Platform20 vulnerabilities

IBM Robotic Process Automation Cloud Pak20 vulnerabilities

IBM Controller20 vulnerabilities

IBM Curam Social Program Management20 vulnerabilities

IBM Security Verify Information Queue19 vulnerabilities

IBM Sterling Secure Proxy19 vulnerabilities

IBM Sterling Partner Engagement Manager19 vulnerabilities

IBM Websphere Mq19 vulnerabilities

IBM Aspera Console18 vulnerabilities

IBM Security Secret Server18 vulnerabilities

IBM Security Verify Governance18 vulnerabilities

IBM Informix Dynamic Server18 vulnerabilities

IBM Websphere Portal18 vulnerabilities

IBM Engineering Lifecycle Optimization Engineering Insights18 vulnerabilities

IBM App Connect Enterprise17 vulnerabilities

IBM Security Qradar Edr16 vulnerabilities

IBM Security Directory Server16 vulnerabilities

IBM Security Guardium Key Lifecycle Manager16 vulnerabilities

IBM Datacap16 vulnerabilities

IBM Powervm Hypervisor16 vulnerabilities

IBM Applinx15 vulnerabilities

IBM Datacap Navigator15 vulnerabilities

IBM Jazz For Service Management14 vulnerabilities

IBM Txseries For Multiplatforms14 vulnerabilities

IBM Doors Next14 vulnerabilities

IBM Control Desk14 vulnerabilities

IBM App Connect Enterprise Certified Container13 vulnerabilities

IBM Entirex13 vulnerabilities

Known Exploited IBM Vulnerabilities

The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
CVE-2022-47986 Exploit Probability: 94.3% 		February 21, 2023
IBM InfoSphere BigInsights Invalid Input Vulnerability Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data.
CVE-2013-3993 Exploit Probability: 21.0% 		May 25, 2022
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands
CVE-2015-7450 Exploit Probability: 93.5% 		January 10, 2022
IBM Data Risk Manager Arbritary File Download IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
CVE-2020-4430 Exploit Probability: 83.8% 		November 3, 2021
IBM Data Risk Manager Authentication Bypass IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
CVE-2020-4427 Exploit Probability: 92.7% 		November 3, 2021
IBM Data Risk Manager Command Injection IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
CVE-2020-4428 Exploit Probability: 92.3% 		November 3, 2021
IBM Planning Analytics configuration overwrite vulnerability IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
CVE-2019-4716 Exploit Probability: 93.4% 		November 3, 2021

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2013-3993: IBM InfoSphere BigInsights Invalid Input Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 163 vulnerabilities in IBM with an average score of 5.8 out of ten. Last year, in 2025 IBM had 563 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.46




Year Vulnerabilities Average Score
2026 163 5.80
2025 563 6.26
2024 503 6.44
2023 357 6.80
2022 327 6.36
2021 443 6.10
2020 353 6.19
2019 454 6.14
2018 451 6.24

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-36187 Mar 25, 2026
IBM Knowledge Catalog Logs Sensitive Data to Local Privileged User (5.0.0-5.2.1) IBM Knowledge Catalog Standard Cartridge 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5,1.2, 5.1.3, 5.2.0, 5.2.1 stores potentially sensitive information in log files that could be read by a local privileged user.
Knowledge Catalog Standard Cartridge
CVE-2025-14684 Mar 25, 2026
IBM Maximo Monitor Log Injection 8.10-9.1 (CVE-2025-14684) IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files.
Maximo Application Suite Monitor Component
CVE-2025-14807 Mar 25, 2026
IBM InfoSphere Information Server 11.7.x Host Header Injection IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Infosphere Information Server
CVE-2026-1015 Mar 25, 2026
IBM InfoSphere InfoServer 11.7.x SSRF via Outbound Requests IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Infosphere Information Server
CVE-2026-1014 Mar 25, 2026
IBM InfoSphere IS 11.7 JSON Response Info Leakage IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exposure of sensitive information via JSON server response manipulation.
Infosphere Information Server
CVE-2026-2483 Mar 25, 2026
IBM InfoSphere InfoServer XSS via Web UI Before 11.7.1.6 (CVE20262483) IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session
Infosphere Information Server
CVE-2025-64648 Mar 25, 2026
IBM Concert 1.0.0-2.2.0 Transmits Data in Clear Text (MITM Risk) IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
Concert
CVE-2025-64647 Mar 25, 2026
IBM Concert 1.0.0-2.2.0 Crypto Weakness: Decrypt Sensitive Data IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
Concert
CVE-2026-2484 Mar 25, 2026
IBM InfoSphere InfoServer 11.7.x Info Exposure via Verbose Errors IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information exposure vulnerability caused by overly verbose error messages
Infosphere Information Server
CVE-2025-64646 Mar 25, 2026
IBM Concert 1.0-2.2 Buffer Clear Bypass (CVE-2025-64646) IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Concert
CVE-2025-36440 Mar 25, 2026
IBM Concert 1.02.2: Local Data Leak via Missing FLAC IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.
Concert
CVE-2025-36438 Mar 25, 2026
IBM Concert 2.2.0 Privileged User Channel Misrestriction Vulnerability IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.
Concert
CVE-2025-36422 Mar 25, 2026
CSRF in IBM InfoSphere DataStage Flow Designer v11.7.0.011.7.1.6 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 IBM InfoSphere DataStage Flow Designer is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Infosphere Information Server
CVE-2025-36258 Mar 25, 2026
IBM InfoSphere IS 11.7.x Plain-Text Credential Storage Local Privilege Escalation IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user credentials and other sensitive information in plain text which can be read by a local user.
Infosphere Information Server
CVE-2026-2485 Mar 25, 2026
Infosphere IS 11.7.x Web UI XSS (stored) - Arbitrary JS exec IBM Infosphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Infosphere Information Server
CVE-2025-14974 Mar 25, 2026
IDOR in IBM InfoSphere Information Server < 11.7.1.7 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).
Infosphere Information Server
CVE-2026-1262 Mar 25, 2026
IBM InfoSphere Info Server 11.7 Info Disclosure (CVE-2026-1262) IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.
Infosphere Information Server
CVE-2025-14917 Mar 25, 2026
IBM WebSphere App Server Liberty 17.0.0.3-26.0.0.3 Admin Security Weakness IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
Websphere Application Server Liberty
CVE-2025-14912 Mar 25, 2026
SSRF in IBM InfoSphere Info Server 11.7.0.0-11.7.1.6 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Infosphere Information Server
CVE-2025-14915 Mar 25, 2026
Privilege Escalation in IBM WebSphere AppSrv Liberty 17.0.0.3-26.0.0.3 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.
Websphere Application Server Liberty
CVE-2025-14810 Mar 25, 2026
IBM InfoSphere Info Server 11.7.0.0-11.7.1.6: Session Expiration Lapse IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Infosphere Information Server
CVE-2026-1561 Mar 25, 2026
SSRF in IBM WebSphere Application Server Liberty 17.0.0.3-26.0.0.3 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
WebSphere Application Server
CVE-2025-14808 Mar 25, 2026
IBM InfoSphere IS v11.7.0.0-11.7.1.6 Info Leak via HTTP GET Query IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
Infosphere Information Server
CVE-2025-14790 Mar 25, 2026
IBM InfoSphere Info Server 11.7.*: Unprotected credentials expose sensitive data IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information due to insufficiently protected credentials.
Infosphere Information Server
CVE-2025-12708 Mar 25, 2026
IBM Concert 1.0.0-2.2.0 Hardc Creds Local User Access IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Concert
CVE-2025-36051 Mar 19, 2026
IBM QRadar SIEM 7.5.0-14 Local User Info Disclosure in config files IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user.
Qradar Security Information Event Manager
CVE-2025-13995 Mar 19, 2026
IBM QRadar SIEM 7.5.0 UpdatePkg14 Cross-Tenant Hostname Data Leak IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 could allow an attacker with access to one tenant to access hostname data from another tenant's account.
Qradar Security Information Event Manager
CVE-2025-15051 Mar 19, 2026
CVE-2025-15051 IBM QRadar SIEM 7.5.0 XSS in Web UI IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality.
Qradar Security Information Event Manager
CVE-2026-1276 Mar 19, 2026
IBM QRadar SIEM XSS in Web UI 7.5.0 Update 14 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Qradar Security Information Event Manager
CVE-2026-1264 Mar 17, 2026
IBM Sterling B2B/FG 6.x Remote Deletion of Communities IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 allows a remote unauthenticated attacker to view and delete the partners of a community and to delete the communities.
Sterling B2b Integrator
CVE-2025-14031 Mar 17, 2026
Crash in IBM Sterling B2B Integrator/File Gateway 6.1.0.06.2.2.0 via Unauth Req IBM Sterling B2B Integrator and and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could allow an unauthenticated attacker to send a specially crafted request that causes the application to crash.
Sterling B2b Integrator
CVE-2026-3856 Mar 17, 2026
IBM Db2 Recovery Expert 5.5 IF 2 insecure data integrity verification IBM Db2 Recovery Expert for Linux, UNIX and Windows 5.5 IF 2 could allow an attacker to modify or corrupt data due to an insecure mechanism used for verifying the integrity of the data during transmission.
Db2 Recovery Expert
CVE-2026-1376 Mar 17, 2026
IBM i 7.6 DoS via Auth Failure & Resource Leak IBM i 7.6 could allow a remote attacker to cause a denial of service using failed authentication connections due to improper allocation of resources.
I
CVE-2026-1267 Mar 17, 2026
IBM Planning Analytics Local 2.1.0-17 Unauthorized Access (No ACL) IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls.
Planning Analytics Local
CVE-2025-14806 Mar 17, 2026
IBM Planning Analytics Local 2.1.0-2.1.17 Improper Cache Disclosure IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources.
Planning Analytics Local
CVE-2026-0977 Mar 13, 2026
IBM CICS TG Multi 9.3/10.1 Access Control Flaw Enables File Transfer/View IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
Cics Transaction Gateway
CVE-2025-13212 Mar 13, 2026
IBM Aspera Console 3.3.0-3.4.8 Authenticated Email Service DoS IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
Aspera Console
CVE-2025-13459 Mar 13, 2026
IBM Aspera Console 3.3.0-3.4.8 Privileged DoS via Workflow Enforcement IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.
Aspera Console
CVE-2025-13460 Mar 13, 2026
IBM Aspera Console 3.3.0-3.4.8 Username Enum via Response Discrepancy IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
Aspera Console
CVE-2025-36368 Mar 13, 2026
IBM Sterling B2B File GW 6.x6.2.1.1_1 SQLi IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, and 6.2.1.0 through 6.2.1.1_1 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Sterling B2b Integrator
CVE-2023-40693 Mar 13, 2026
IBM Sterling B2B Intgr/SG 6.x: Web UI XSS IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, and 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
CVE-2025-14483 Mar 13, 2026
IBM Sterling B2B/File Gateway 6.x Info Disclosure to Authenticated Users IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could disclose sensitive host information to authenticated users in responses that could be used in further attacks against the system.
Sterling B2b Integrator
CVE-2025-14504 Mar 13, 2026
CVE-2025-14504 IBM Sterling B2B Integrator/XG XSS in Web UI (6.1.06.2.2.0) IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
CVE-2026-0835 Mar 13, 2026
XSS in IBM Sterling B2B Integrator 6.1-6.2.2: UI code injection IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
CVE-2025-13702 Mar 13, 2026
IBM SPM XSS Vulnerability in 6.2.3.0-6.2.4.2 Authenticated JS Injection IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling Partner Engagement Manager
CVE-2025-13718 Mar 13, 2026
IBM Sterling PEngMgr 6.2.3.x-6.2.4.2 Cleartext Leak via Unencrypted Comm IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.
Sterling Partner Engagement Manager
CVE-2025-13723 Mar 13, 2026
IBM Sterling Partner Eng Manager: Data Leak via Expired Token (6.2.4.2) IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
Sterling Partner Engagement Manager
CVE-2025-13726 Mar 13, 2026
IBM Sterling Partner Engagement Mgmt 6.2.3.0-6.2.4.2 RCE via Error Disclosure IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
Sterling Partner Engagement Manager
CVE-2025-14811 Mar 13, 2026
IBM Sterling PME 6.2.3/6.2.4 Sensitive Data Leakage via HTTP GET Query IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
Sterling Partner Engagement Manager
CVE-2025-13213 Mar 10, 2026
IBM Aspera Orchestrator 3.0.0-4.1.2 HTTP Header Injection IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking
Aspera Orchestrator
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.