IBM IBM

  1. Vendors
  2. IBM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any IBM product.

RSS Feeds for IBM security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by IBM Sorted by Most Security Vulnerabilities since 2018

IBM I292 vulnerabilities

IBM Infosphere Information Server140 vulnerabilities

IBM WebSphere Application Server137 vulnerabilities

IBM Db2137 vulnerabilities

IBM Sterling B2b Integrator133 vulnerabilities

IBM Rational Quality Manager132 vulnerabilities

IBM Aix124 vulnerabilities

IBM Cognos Analytics97 vulnerabilities

IBM Rational Doors Next Generation95 vulnerabilities

IBM Rational Collaborative Lifecycle Management89 vulnerabilities

IBM Security Guardium84 vulnerabilities

IBM Rational Engineering Lifecycle Manager81 vulnerabilities

IBM Security Verify Access81 vulnerabilities

IBM Maximo Asset Management78 vulnerabilities

IBM Api Connect75 vulnerabilities

IBM Vios73 vulnerabilities

IBM Qradar Security Information Event Manager69 vulnerabilities

IBM Mq67 vulnerabilities

IBM Rational Team Concert65 vulnerabilities

IBM Concert53 vulnerabilities

IBM Sterling File Gateway52 vulnerabilities

IBM Business Automation Workflow51 vulnerabilities

IBM Security Access Manager49 vulnerabilities

IBM Cloud Pak For Security48 vulnerabilities

IBM Security Verify Access Docker48 vulnerabilities

IBM Cognos Controller48 vulnerabilities

IBM Rational Rhapsody Design Manager47 vulnerabilities

IBM Aspera Faspex44 vulnerabilities

IBM Spectrum Scale42 vulnerabilities

IBM Urbancode Deploy42 vulnerabilities

IBM Mq Appliance41 vulnerabilities

IBM Planning Analytics41 vulnerabilities

IBM Security Key Lifecycle Manager41 vulnerabilities

IBM Robotic Process Automation40 vulnerabilities

IBM Security Identity Governance Intelligence37 vulnerabilities

IBM Engineering Lifecycle Optimization Publishing36 vulnerabilities

IBM Engineering Lifecycle Optimization34 vulnerabilities

IBM Engineering Lifecycle Management34 vulnerabilities

IBM Business Process Manager33 vulnerabilities

IBM Rational Software Architect Design Manager32 vulnerabilities

IBM Maximo Application Suite32 vulnerabilities

IBM Planning Analytics Local31 vulnerabilities

IBM Cics Tx31 vulnerabilities

IBM Qradar Siem29 vulnerabilities

IBM Jazz Reporting Service29 vulnerabilities

IBM Spectrum Protect Plus27 vulnerabilities

IBM Cloud Pak System27 vulnerabilities

IBM Content Navigator27 vulnerabilities

IBM Financial Transaction Manager26 vulnerabilities

IBM Engineering Workflow Management25 vulnerabilities

IBM Engineering Test Management25 vulnerabilities

IBM Cloud Pak Business Automation24 vulnerabilities

IBM Qradar Suite23 vulnerabilities

IBM Concert Software23 vulnerabilities

IBM Openpages With Watson22 vulnerabilities

IBM Security Identity Manager22 vulnerabilities

IBM Infosphere Information Server On Cloud22 vulnerabilities

IBM Spectrum Protect21 vulnerabilities

IBM Controller21 vulnerabilities

IBM Bigfix Platform20 vulnerabilities

IBM Robotic Process Automation Cloud Pak20 vulnerabilities

IBM Curam Social Program Management20 vulnerabilities

IBM Websphere Mq19 vulnerabilities

IBM Security Verify Information Queue19 vulnerabilities

IBM Sterling Partner Engagement Manager19 vulnerabilities

IBM Sterling Secure Proxy19 vulnerabilities

IBM App Connect Enterprise18 vulnerabilities

IBM Aspera Console18 vulnerabilities

IBM Engineering Lifecycle Optimization Engineering Insights18 vulnerabilities

IBM Informix Dynamic Server18 vulnerabilities

IBM Security Verify Governance18 vulnerabilities

IBM Websphere Portal18 vulnerabilities

IBM Security Secret Server18 vulnerabilities

IBM Security Qradar Edr16 vulnerabilities

IBM Aspera Shares16 vulnerabilities

IBM Powervm Hypervisor16 vulnerabilities

IBM Security Guardium Key Lifecycle Manager16 vulnerabilities

IBM Security Directory Server16 vulnerabilities

IBM Datacap16 vulnerabilities

IBM Applinx15 vulnerabilities

IBM Datacap Navigator15 vulnerabilities

IBM Verify Identity Access14 vulnerabilities

IBM Jazz For Service Management14 vulnerabilities

IBM Doors Next14 vulnerabilities

IBM Txseries For Multiplatforms14 vulnerabilities

IBM Control Desk14 vulnerabilities

Known Exploited IBM Vulnerabilities

The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
CVE-2022-47986 Exploit Probability: 94.3% 		February 21, 2023
IBM InfoSphere BigInsights Invalid Input Vulnerability Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data.
CVE-2013-3993 Exploit Probability: 26.5% 		May 25, 2022
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands
CVE-2015-7450 Exploit Probability: 93.3% 		January 10, 2022
IBM Data Risk Manager Arbritary File Download IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
CVE-2020-4430 Exploit Probability: 83.8% 		November 3, 2021
IBM Data Risk Manager Authentication Bypass IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
CVE-2020-4427 Exploit Probability: 92.7% 		November 3, 2021
IBM Data Risk Manager Command Injection IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
CVE-2020-4428 Exploit Probability: 92.3% 		November 3, 2021
IBM Planning Analytics configuration overwrite vulnerability IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
CVE-2019-4716 Exploit Probability: 93.4% 		November 3, 2021

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2013-3993: IBM InfoSphere BigInsights Invalid Input Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 260 vulnerabilities in IBM with an average score of 6.1 out of ten. Last year, in 2025 IBM had 563 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.19




Year Vulnerabilities Average Score
2026 260 6.07
2025 563 6.26
2024 503 6.44
2023 357 6.80
2022 327 6.36
2021 443 6.10
2020 353 6.19
2019 454 6.14
2018 451 6.24

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-1248 May 27, 2026
IBM BAW Containers Leak DB Structure in Error Messages IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages.
Business Automation Workflow Containers Traditional
CVE-2026-7876 May 27, 2026
IBM Aspera HSTS Vulnerability in CP4I 1.5.1-1.5.19 IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19
Aspera Hsts For Cp4i
CVE-2026-7365 May 27, 2026
IBM Ops Analytics Log Analysis Default Password Auth Bypass IBM Operations Analytics - Log Analysis  and IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication.
Operations Analytics Log Analysis
CVE-2024-56462 May 27, 2026
IBM QRadar 7.5.0 Backup Upload RCE via Malicious Archive IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system.
Qradar
CVE-2024-40684 May 27, 2026
IBM SmartCloud Analytics Log Analysis Weak Passwords 1.3.5-1.3.8 IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
Operations Analytics Log Analysis
CVE-2024-28765 May 27, 2026
Remote Info Disclosure in IBM SDI 7.2.0.07.2.0.14 & 10.0.0.010.0.0.2 IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Sdi
Security Directory Integrator
CVE-2026-9035 May 27, 2026
IBM Aspera asperahttpd Arbitrary File Read 3.7.4-4.4.7 IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the servers local storage that they should not have access to.
Aspera High Speed Transfer Endpoint
Aspera High Speed Transfer Server
CVE-2026-8405 May 27, 2026
IBM Guardium Data Protection 12.2.1-12.2.2 LTR Exposes Credentials in Debug Mode IBM Guardium Data Protection 12.2.1, and 12.2.2 's add-on feature of Guardium Data Protection named "Long Term Retention" (LTR) can expose sensitive credentials in debug mode.
Guardium Data Protection
CVE-2026-8180 May 27, 2026
IBM Aspera High-Speed Transfer Endpoint 3.7.4-4.4.7 FP1 DoS via asperahttpd IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential denial of service in the asperahttpd component. An unauthenticated user can cause the asperahttpd service to crash.
Aspera High Speed Transfer Endpoint
Aspera High Speed Transfer Server
CVE-2026-8179 May 27, 2026
IBM Aspera Buffer Overflow in asperahttpd 3.7.44.4.7 IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could allow an authenticated user to execute arbitrary code on the system.
Aspera High Speed Transfer Endpoint
Aspera High Speed Transfer Server
CVE-2026-8175 May 27, 2026
IBM Aspera HTTPD Buffer Overflow (3.7.44.4.7 FP1) DoS & RCE IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could be exploited to cause a denial of service and potentially lead to authentication bypass or remote code execution.
Aspera High Speed Transfer Endpoint
Aspera High Speed Transfer Server
CVE-2026-7528 May 27, 2026
IBM Langflow OSS 1.0.0-1.9.0 DoS via Uncontrolled Resource Consumption IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.
Langflow Oss
CVE-2026-7524 May 27, 2026
IBM Langflow OSS 1.9.1 RCE via Symlink during Archive Extraction IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.
Langflow Oss
CVE-2026-7254 May 27, 2026
IBM OPENBMC FW1110.001110.11 DoS via unauthenticated network IBM OPENBMC FW1110.00 through FW1110.11 is vulnerable to denial of service attacks by unauthenticated network users.
Openbmc
CVE-2026-6938 May 27, 2026
Db2 12.1.x Auth Bypass via Remote Object Storage Upload Path IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploading to a remote object storage path with a special query.
Db2
CVE-2026-6936 May 27, 2026
IBM i ILE Compiler Recursion DoS Before 7.6 (7.5,7.4,7.3) IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements.
I
CVE-2026-6053 May 27, 2026
IBM DB2 11.5/12.1 DoS via range-partitioned tables IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables.
Db2
CVE-2026-6052 May 27, 2026
IBM Db2 11.5-12.1 MEMExhaustion via MDC Table Queries IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables.
Db2
CVE-2026-6051 May 27, 2026
IBM Db2 DOS via small statement heap (11.5.x-12.1.x) IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap.
Db2
CVE-2026-5516 May 27, 2026
Timing-Window Security Bypass in IBM WSAS Liberty 22.0.0.11-26.0.0.5 IBM WebSphere Application Server - Liberty 22.0.0.11 through 26.0.0.5 IBM WebSphere Application Server Liberty could allow a remote attacker to bypass security under limited conditions by exploiting a specific timing window.
Websphere Application Server Liberty
CVE-2026-5515 May 27, 2026
IBM App Connect Enterprise 13.0.* Sensitive Log Leakage to Local Users IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 stores potentially sensitive information in log files that could be read by a local user.
App Connect Enterprise
CVE-2026-5065 May 27, 2026
Hardcoded Credentials in IBM Controller 11.0.111.1.2 IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Controller
CVE-2026-4410 May 27, 2026
IBM WebSphere App Server Liberty DoS via crafted request (v19.0-26.0) IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Websphere Application Server Liberty
WebSphere Application Server
CVE-2026-3676 May 27, 2026
IBM Cloud APM 8.1.4: Authenticated DoS via Fenced Env Query Logic IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.
Cloud Apm Base Private
Cloud Apm Advanced Private
CVE-2026-3623 May 27, 2026
IBM Netezza PS 3.0.23.0.5 PrivEsc via Replication Services IBM Netezza Performance Server Replication Services 3.0.2.0 through 3.0.5.0 allows an attacker with lowprivileged access to escalate their privileges to root. By exploiting this flaw, the attacker can execute rootlevel commands, obtain a root shell, and change the root users password. Successful exploitation also enables modification or removal of systemwide files and the installation of persistent backdoors. This results in full system compromise with complete loss of confidentiality, integrity, and availability.
Netezza Performance Server Replication Services
CVE-2026-3366 May 27, 2026
IBM InfoSphere Optim Test Data Fabrication <1.0.2.7 Dir Traversal File Read IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system
Infosphere Optim Test Data Fabrication
CVE-2026-2607 May 27, 2026
IBM MQ Operator Log Local File Read v3.2.0 to 3.2.23 IBM MQ Operator SC2: v3.2.0 through 3.2.23CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.
Mq Operator
Supplied Mq Advanced Container Images
CVE-2026-1718 May 27, 2026
IBM Db2 11.5.0-11.5.9 / 12.1.0-12.1.4 DoS via Crafted Query (AutTxn) IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled.
Db2
CVE-2025-3633 May 27, 2026
IBM Cognos Analytics/Transformer XSS (12.1.0) IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session.
Cognos Analytics
Cognos Transformer
CVE-2026-3660 May 26, 2026
IBM ELM 7.0.37.2.0 Unauthenticated Server Property Update RCE IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
Engineering Lifecycle Management
CVE-2026-3603 May 26, 2026
IBM Engineering Lifecycle Management 7.07.2: XXE vuln in XML data IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through  Interim Fix 021, 7.1.0  Interim Fix 001 through  Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Engineering Lifecycle Management
CVE-2026-4051 May 26, 2026
RCE via Unrestricted Method in IBM ELM 7.0.3-7.2.0 (Admin Only) IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Engineering Lifecycle Management
CVE-2026-9170 May 26, 2026
IBM WebSphere App Server 8.5/9.0 PLUGIN DoS/CodeExec via Improper Validation IBM HTTP Server 8.5, and 9.0
Web Server Plug Ins Websphere Application Server Websphere Liberty
Http Server
CVE-2026-8633 May 26, 2026
IBM WAS Plug-Ins 8.5/9.0 RCE via crafted request IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request.
Web Server Plug Ins Websphere Application Server Websphere Liberty
CVE-2026-8620 May 26, 2026
HTTP Request Smuggling in IBM WebSphere App Server Plug-ins (8.5, 9.0) IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
Web Server Plug Ins Websphere Application Server Websphere Liberty
CVE-2026-8835 May 26, 2026
IBM HTTP Server 8.5-9.0 InvPtr Deref Authenticated DoS/Info Leak IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.
Http Server
CVE-2026-8834 May 26, 2026
IBM HTTP Server 8.5/9.0 Buffer Overflow via Auth Admin IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service.
Http Server
CVE-2026-8855 May 26, 2026
IBM HTTP Server 8.5/9.0 TLS Mutual Auth RCE IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
Http Server
CVE-2026-8854 May 26, 2026
IBM HTTP Server 8.5/9.0 DDoS via mod_mem_cache IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
Http Server
CVE-2026-8856 May 26, 2026
IBM HTTP Server 8.5/9.0 DoS via config write access IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.
Http Server
CVE-2026-8852 May 26, 2026
IBM HTTP Server 8.5/9.0 DoS via mod_fastcgi module IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.
Http Server
CVE-2026-8850 May 26, 2026
IBM HTTP Server 8.5 & 9.0 - mod_ibm_upload Denial of Service IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.
Http Server
CVE-2025-36221 May 26, 2026
IBM Cloud Pak for Data Cyclops Default Passwd Bypass (V < 11.3.0.2-IF002) IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication.
Cloud Pak Data System Cyclops
CVE-2025-36220 May 26, 2026
IBM Cloud Pak Data-System Cyclops 11.3.0.2-002 SQL Injection IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Cloud Pak Data System Cyclops
CVE-2025-36126 May 26, 2026
IBM Cognos Analytics 11.2.0-12.1.0 & Cognos Transformer XSS in Admin IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Cognos Analytics
Cognos Transformer
CVE-2025-36148 May 26, 2026
IBM FUTM SWIFT 3.2.4.03.2.4.15 Web UI XSS IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Financial Transaction Manager Swift Services Multiplatforms
CVE-2025-36145 May 26, 2026
IBM watsonx.data 2.2-2.3.1: Unrestricted Inbound/Outbound Connections IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.
Watsonxdata
CVE-2025-14290 May 26, 2026
IBM webMethods Integration Server SSRF pre IS_11.1 IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Webmethods Integration On Prem Integration Server
CVE-2025-13755 May 26, 2026
Local Log Data Leak in IBM Db2 v11.5.0-11.5.9/12.1.0-12.1.4 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user.
Db2
CVE-2026-1577 Apr 30, 2026
IBM Db2 DoS via query logic with special elements before 11.5.9/12.1.4 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Db2
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.