IBM
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any IBM product.
RSS Feeds for IBM security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by IBM Sorted by Most Security Vulnerabilities since 2018
Known Exploited IBM Vulnerabilities
The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| IBM Aspera Faspex Code Execution Vulnerability |
IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. CVE-2022-47986 Exploit Probability: 100.0% |
February 21, 2023 |
| IBM InfoSphere BigInsights Invalid Input Vulnerability |
Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data. CVE-2013-3993 Exploit Probability: 5.2% |
May 25, 2022 |
| IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. |
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands CVE-2015-7450 Exploit Probability: 97.7% |
January 10, 2022 |
| IBM Data Risk Manager Arbritary File Download |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535. CVE-2020-4430 Exploit Probability: 68.5% |
November 3, 2021 |
| IBM Data Risk Manager Authentication Bypass |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532. CVE-2020-4427 Exploit Probability: 70.0% |
November 3, 2021 |
| IBM Data Risk Manager Command Injection |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533. CVE-2020-4428 Exploit Probability: 61.7% |
November 3, 2021 |
| IBM Planning Analytics configuration overwrite vulnerability |
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. CVE-2019-4716 Exploit Probability: 86.4% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 335 vulnerabilities in IBM with an average score of 6.3 out of ten. Last year, in 2025 IBM had 563 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.03.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 335 | 6.29 |
| 2025 | 563 | 6.26 |
| 2024 | 503 | 6.44 |
| 2023 | 357 | 6.80 |
| 2022 | 327 | 6.36 |
| 2021 | 443 | 6.10 |
| 2020 | 353 | 6.19 |
| 2019 | 454 | 6.14 |
| 2018 | 451 | 6.24 |
It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-11541 | Jun 30, 2026 |
HTTP Req Smuggling in IBM WebSphere WSAS 8.5/9.0 & Liberty 17.0.0.3-26.0.0.6IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability. |
|
| CVE-2026-11594 | Jun 30, 2026 |
IBM WAS 9.0/8.5 XSS in Admin ConsoleIBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console. |
|
| CVE-2025-12530 | Jun 30, 2026 |
IBM watsonx.data 5.3.1 & Pre 5.3.1 Cleartext MITM VulnerabilityIBM watsonx.data intelligence 5.2.2, 5.3.0, 5.3.1, 5.3.1 through patch-1 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. |
|
| CVE-2025-36319 | Jun 30, 2026 |
IBM Watsonx.data 5.2.0-5.3.0 Throttle DoS via APIIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to cause a temporary denial using a specially crafted HTTP request due to improper allocation of resource throttling. |
|
| CVE-2025-36320 | Jun 30, 2026 |
IBM watsonx.data Stored XSS in 5.2.0-5.3.0IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
| CVE-2025-36321 | Jun 30, 2026 |
IBM watsonx.data HTML Injection in 5.2.0-5.3.0IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. |
|
| CVE-2025-36323 | Jun 30, 2026 |
IBM watsonx.data intelligence <5.3.0: CrossSite Scripting in Web UIIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
| CVE-2025-36324 | Jun 30, 2026 |
IBM Watsonx.data SSRF v5.2.0-5.3.0 Authenticated AttackIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 s vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. |
|
| CVE-2025-36327 | Jun 30, 2026 |
IBM watsonx.data 5.2-5.3 Auth Bypass via Client-side EnforcementIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of sever-side security. |
|
| CVE-2025-36328 | Jun 30, 2026 |
IBM watsonx.data 5.2.05.3.0 Err Msg LeakIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. |
|
| CVE-2025-36333 | Jun 30, 2026 |
IBM WatsonX.data 5.2-5.3: Auth.Unauth Actions w/ Improper WorkflowIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow. |
|
| CVE-2025-36336 | Jun 30, 2026 |
IBM watsonx.data MIse: Cleartext Transmission Enables MITM (pre-5.3.0)IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. |
|
| CVE-2025-36359 | Jun 30, 2026 |
IBM DevOps Automation 1.0.1 & Loop 1.0.2 Session ID Expiration BypassIBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system. |
|
| CVE-2025-36372 | Jun 30, 2026 |
IBM Db2 11.5.x/12.1.x Sensitive Info Leakage via Monitoring TablesIBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables. |
|
| CVE-2026-10109 | Jun 30, 2026 |
IBM Db2 RCE via DRDA handshake before 11.5.9/12.1.4IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling. |
|
| CVE-2026-10129 | Jun 30, 2026 |
IBM Langflow SSRF Bypass via follow_redirects (v1.0.0-1.9.3)IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying a public URL that redirects to internal/localhost addresses. The vulnerability exists because the application validates only the initial URL but does not re-validate redirect destinations. This allows attackers to access internal HTTP services, localhost endpoints, cloud metadata services, and private network resources that should be unreachable when SSRF protection is enabled. Successful exploitation can lead to disclosure of sensitive information including credentials, tokens, internal API responses, and administrative panel data. |
|
| CVE-2026-10134 | Jun 30, 2026 |
IBM Langflow OSS 1.0.0-1.9.3 RCE: code exec via public flow tool_codeIBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build. |
|
| CVE-2026-10140 | Jun 30, 2026 |
IBM Langflow OSS 1.0.01.10.0 Voice Mode SharedState Leak: CrossTenant CredentialIBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution. |
|
| CVE-2026-10546 | Jun 30, 2026 |
IBM Langflow OSS 1.01.9.3 SSRF via URL TOCTOUIBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding. |
|
| CVE-2026-10560 | Jun 30, 2026 |
Authmissing in IBM Langflow OSS leads to info disclosure & DoS (v1.0.01.9.6)IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service. |
|
| CVE-2026-10564 | Jun 30, 2026 |
IBM Langflow SSRF via RSSReader/SearXNG before 1.9.6IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker can exploit this to access internal resources including cloud metadata services (AWS/Azure/GCP IMDS), potentially exfiltrating IAM credentials and enumerating internal networks. The vulnerability can also be triggered through prompt injection in agentic workflows due to tool_mode=True exposure. |
|
| CVE-2026-11546 | Jun 30, 2026 |
CVE-2026-11546: SSRF in IBM WAS Liberty 17.0.0.326.0.0.7 (adminCenter1.0)IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled. |
|
| CVE-2026-11595 | Jun 30, 2026 |
IBM WebSphere App Server 8.5-9.0 Sensitive Info Disclosure via Admin Console HelpIBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system. |
|
| CVE-2026-11708 | Jun 30, 2026 |
XSS on IBM WAS 9.0/8.5 Admin Console Help SystemIBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system. |
|
| CVE-2026-11712 | Jun 30, 2026 |
IBM WebSphere App Server 8.5-9.0: XSS in Admin Help SystemIBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system. |
|
| CVE-2026-11714 | Jun 30, 2026 |
SSRF in IBM WebSphere App Server Liberty 17.0.0.3-26.0.0.7 via apiDiscovery-1.0IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled. |
|
| CVE-2026-11806 | Jun 30, 2026 |
IBM WAS Liberty Arbitrary File Read via restConnector-2.0 (17.0.0.3-26.0.0.6)IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled. |
|
| CVE-2026-11906 | Jun 30, 2026 |
IBM Db2 11.5-12.1 XMLTable DoS via Improper NeutralizationIBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns. |
|
| CVE-2026-12084 | Jun 30, 2026 |
CORS Misconfig in IBM DevOps Deploy 8.1-8.2.1.0 Enables Privileged AccessIBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. |
|
| CVE-2026-12085 | Jun 30, 2026 |
IBM UCD/DevOps Deploy 7.3-8.2 API Response Sensitive DisclosureIBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system. |
|
| CVE-2026-12086 | Jun 30, 2026 |
IBM UrbanCode Deploy UCD 7.2-8.2 - Sensitive Log File LeakageIBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user. |
|
| CVE-2026-13449 | Jun 30, 2026 |
IBM Business Automation Manager Open Editions XXE <9.4.3IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. |
|
| CVE-2026-13759 | Jun 30, 2026 |
IBM WebSphere Extreme Scale 8.6.1.08.6.1.6 RCE via ObjectInputStream (Coherence)IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs |
|
| CVE-2026-13772 | Jun 30, 2026 |
IBM WAS 8.6.1.x OQL Class.forName Constructor ExecIBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries |
|
| CVE-2026-13773 | Jun 30, 2026 |
IBM WebS. Extreme Scale 8.6.1.0-8.6.1.6: ogclient.jar CORBA SSRF RCEIBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM. |
|
| CVE-2026-3602 | Jun 30, 2026 |
IBM App Connect Enterprise / Integration Bus SQLi in v12-13 (13.0.7.2)IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of. |
|
| CVE-2026-7663 | Jun 30, 2026 |
IBM Langflow OSS <=1.9.6: Unauth Access via MCP Streamable Endpoint Auth FlawIBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint. |
|
| CVE-2026-7803 | Jun 30, 2026 |
IBM Langflow OSS 1.0.0-1.10.0 RCE via Unchecked Flow Node TypesIBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields. |
|
| CVE-2026-7871 | Jun 30, 2026 |
Arbitrary Code Exec via Redis in IBM Langflow OSS 1.0.0-1.10.0IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity. |
|
| CVE-2026-7873 | Jun 30, 2026 |
IBM Langflow OSS 1.0.0-1.10.0: OS Command Injection via Authenticated AccessIBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement. |
|
| CVE-2026-7874 | Jun 30, 2026 |
IBM Langflow 1.0.0-1.10.0: Weak KDF exposes stored credentialsIBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest. |
|
| CVE-2026-9002 | Jun 30, 2026 |
Denial of Service via XDF Decoder in IBM WebSphere Extreme Scale 8.6.1.08.6.1.6IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM. |
|
| CVE-2026-9836 | Jun 30, 2026 |
IBM InfoSphere Info Server 11.7.x Info Disclosure (11.7.0.0-1.6)IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability. |
|
| CVE-2026-10852 | Jun 22, 2026 |
Denial of Service via WebSphere WebServer Plug-in in IBM WAS 7.3-7.6IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server. |
|
| CVE-2026-7253 | Jun 22, 2026 |
IBM Sterling File Gateway SSRF in Watson Speech CartridgeIBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway, due to a flaw which may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks [GHSA-rr7j-v2q5-chgv] [CVE-2026-7253]. IBM Sterling File Gateway is used in our speech runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below. |
|
| CVE-2026-9320 | Jun 22, 2026 |
IBM WebSphere App Server DoS: crafted request (pre 9.0/8.5, Liberty 1726)IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. |
|
| CVE-2026-9071 | Jun 22, 2026 |
WAS DoS via crafted request (8.59.0 & Liberty 17.026.0)IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. |
|
| CVE-2026-9006 | Jun 22, 2026 |
IBM WAS 9.0/8.5 SSRF via Ajax ProxyIBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may allow an attacker to send unauthorized requests from the system, resulting in a security bypass or information disclosure. |
|
| CVE-2026-8646 | Jun 22, 2026 |
IBM WebSphere App Server 9.0/8.5/Liberty 17-26 HTTP Request SmugglingIBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information. |
|
| CVE-2026-10845 | Jun 22, 2026 |
IBM WAS 8.5/9.0 JAX-WS Auth Bypass Remote ExploitIBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications. |
|