IBM IBM

  1. Vendors
  2. IBM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any IBM product.

RSS Feeds for IBM security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by IBM Sorted by Most Security Vulnerabilities since 2018

IBM WebSphere Application Server119 vulnerabilities

IBM Aix117 vulnerabilities

IBM Infosphere Information Server100 vulnerabilities

IBM Sterling B2b Integrator99 vulnerabilities

IBM Cognos Analytics90 vulnerabilities

IBM Db275 vulnerabilities

IBM Security Verify Access70 vulnerabilities

IBM Vios69 vulnerabilities

IBM Api Connect67 vulnerabilities

IBM Maximo Asset Management66 vulnerabilities

IBM Qradar Security Information Event Manager64 vulnerabilities

IBM I51 vulnerabilities

IBM Business Automation Workflow49 vulnerabilities

IBM Security Guardium48 vulnerabilities

IBM Cognos Controller45 vulnerabilities

IBM Cloud Pak For Security42 vulnerabilities

IBM Mq Appliance39 vulnerabilities

IBM Urbancode Deploy39 vulnerabilities

IBM Mq38 vulnerabilities

IBM Security Access Manager37 vulnerabilities

IBM Planning Analytics37 vulnerabilities

IBM Spectrum Scale36 vulnerabilities

IBM Engineering Lifecycle Optimization Publishing36 vulnerabilities

IBM Security Verify Access Docker35 vulnerabilities

IBM Sterling File Gateway34 vulnerabilities

IBM Aspera Faspex31 vulnerabilities

IBM Security Key Lifecycle Manager31 vulnerabilities

IBM Maximo Application Suite31 vulnerabilities

IBM Engineering Lifecycle Management30 vulnerabilities

IBM Cics Tx29 vulnerabilities

IBM Planning Analytics Local26 vulnerabilities

IBM Robotic Process Automation26 vulnerabilities

IBM Engineering Workflow Management25 vulnerabilities

IBM Engineering Test Management25 vulnerabilities

IBM Rhapsody Model Manager23 vulnerabilities

IBM Qradar Suite23 vulnerabilities

IBM Infosphere Information Server On Cloud22 vulnerabilities

IBM Financial Transaction Manager22 vulnerabilities

IBM Cloud Pak Business Automation22 vulnerabilities

IBM Cloud Pak System22 vulnerabilities

IBM Openpages With Watson22 vulnerabilities

IBM Concert Software22 vulnerabilities

IBM Concert21 vulnerabilities

IBM Content Navigator20 vulnerabilities

IBM Collaborative Lifecycle Management19 vulnerabilities

IBM Engineering Lifecycle Optimization Engineering Insights18 vulnerabilities

IBM Jazz Reporting Service17 vulnerabilities

IBM Security Verify Governance16 vulnerabilities

IBM Robotic Process Automation Cloud Pak16 vulnerabilities

IBM Sterling Secure Proxy16 vulnerabilities

IBM Informix Dynamic Server16 vulnerabilities

IBM Controller16 vulnerabilities

IBM Datacap16 vulnerabilities

IBM Security Directory Server16 vulnerabilities

IBM App Connect Enterprise15 vulnerabilities

IBM Datacap Navigator15 vulnerabilities

IBM Jazz For Service Management14 vulnerabilities

IBM Engineering Lifecycle Optimization14 vulnerabilities

IBM Doors Next14 vulnerabilities

IBM Financial Transaction Manager Multiplatform13 vulnerabilities

IBM Security Qradar Edr13 vulnerabilities

IBM Powervm Hypervisor13 vulnerabilities

IBM Aspera Console13 vulnerabilities

IBM Security Guardium Key Lifecycle Manager13 vulnerabilities

IBM Powersc13 vulnerabilities

IBM Entirex13 vulnerabilities

IBM Engineering Requirements Management Doors13 vulnerabilities

IBM App Connect Enterprise Certified Container12 vulnerabilities

Known Exploited IBM Vulnerabilities

The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
CVE-2022-47986 Exploit Probability: 94.3% 		February 21, 2023
IBM InfoSphere BigInsights Invalid Input Vulnerability Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data.
CVE-2013-3993 Exploit Probability: 17.0% 		May 25, 2022
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands
CVE-2015-7450 Exploit Probability: 94.0% 		January 10, 2022
IBM Data Risk Manager Arbritary File Download IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
CVE-2020-4430 Exploit Probability: 71.5% 		November 3, 2021
IBM Data Risk Manager Authentication Bypass IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
CVE-2020-4427 Exploit Probability: 91.8% 		November 3, 2021
IBM Data Risk Manager Command Injection IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
CVE-2020-4428 Exploit Probability: 87.6% 		November 3, 2021
IBM Planning Analytics configuration overwrite vulnerability IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
CVE-2019-4716 Exploit Probability: 91.3% 		November 3, 2021

Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2020-4430: IBM Data Risk Manager Arbritary File Download is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2025 there have been 518 vulnerabilities in IBM with an average score of 6.3 out of ten. Last year, in 2024 IBM had 503 security vulnerabilities published. That is, 15 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.18




Year Vulnerabilities Average Score
2025 518 6.25
2024 503 6.44
2023 257 6.91
2022 287 6.39
2021 380 6.07
2020 340 6.20
2019 439 6.09
2018 315 6.35

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-33119 Nov 12, 2025
IBM QRadar SIEM 7.5 Credential Leak in Config Files (UP14) IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user.
Qradar Security Information Event Manager
CVE-2025-36223 Nov 12, 2025
HTTP Header Injection in IBM OpenPages 9.0/9.1 via HOST header IBM OpenPages 9.0 and 9.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Openpages
CVE-2025-27368 Nov 12, 2025
IBM OpenPages 9.0/9.1 REST Info Disclosure IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.
Openpages
CVE-2025-11565 Nov 12, 2025
Path Traversal in WebSphere UpdateJRE REST API Allows Local Admin Elevation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload.
WebSphere Application Server
CVE-2025-33150 Nov 10, 2025
IBM Cognos Analytics 12.1.0 Hidden Pages Info Disclosure IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.
Cognos Analytics
CVE-2025-36006 Nov 07, 2025
IBM Db2 Auth Denial via Resource Leak (10.5-12.1) IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial due to the improper release of resources after use.
Db2
CVE-2025-36008 Nov 07, 2025
IBM Db2 11.5.x-11.5.9 / 12.1.x-12.1.3 DoS via Improper Resource Allocation IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper allocation of resources.
Db2
CVE-2025-36131 Nov 07, 2025
IBM Db2 clpplus Exposes Credentials on Linux/UNIX/Windows (11.1-12.1) IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system.
Db2
CVE-2025-36136 Nov 07, 2025
IBM Db2 11.5.0-11.5.9 & 12.1.0-12.1.3 Local DoS via Monitor Script IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user to cause a denial of service due to the database monitor script incorrectly detecting that the instance is still starting under specific conditions.
Db2
CVE-2025-36185 Nov 07, 2025
IBM Db2 12.1.0-12.1.2 Local User DDOS via Improper Query Logic IBM Db2 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.
Db2
CVE-2025-36186 Nov 07, 2025
CVE-2025-36186: IBM Db2 12.1.0-12.1.3 Local Priv Esc via Unnecessary Privilege Use IBM Db2 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) under specific configurations could allow a local user to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level.
Db2
CVE-2025-33012 Nov 07, 2025
IBM Db2 10.5-12.1.3 (Linux) Auth regain after lockout via password reuse IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux could allow an authenticated user to regain access after account lockout due to password use after expiration date.
Db2
CVE-2025-2534 Nov 07, 2025
IBM Db2 DoS via crafted query on server before 11.1.5/11.5.10/12.1.4 IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Db2
CVE-2025-36135 Nov 07, 2025
IBM Sterling B2B & File Gateway 6.0-6.2.1.x Auth XSS in Web UI Credential Leak IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Sterling B2b Integrator
Sterling File Gateway
CVE-2024-47118 Nov 07, 2025
IBM Db2 DoS via crafted query (10.512.1.3) IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Db2
CVE-2025-33110 Nov 06, 2025
IBM OpenPages 9.1/9.0 Watson Remote HTML Injection Vulnerability IBM OpenPages 9.1, and 9.0 with Watson is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Openpages With Watson
CVE-2025-36054 Nov 06, 2025
IBM Business Automation Workflow XSS in UI (25.0.0-IF001) IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Business Automation Workflow
CVE-2025-36172 Nov 03, 2025
IBM Cloud Pak for Business Automation 25.0.0 Web UI XSS IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Cloud Pak Business Automation
CVE-2025-12531 Nov 03, 2025
IBM InfoSphere InfoSrv XXE Vulnerability in XML Parser v11.7.0.011.7.1.6 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Infosphere Information Server
CVE-2025-36093 Nov 03, 2025
IBM Cloud Pak Business Automation 24-25.0.0: MITM via improper access controls IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an attacker to access unauthorized content or perform unauthorized actions using man in the middle techniques due to improper access controls.
Cloud Pak Business Automation
CVE-2025-36092 Nov 03, 2025
DoS via input length in IBM Cloud Pak for Business Automation 24.0-25.0 IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length.
Cloud Pak Business Automation
CVE-2025-36091 Nov 03, 2025
IBM Cloud Pak BA <24-25> dashboards auth flaw leads to denial of access IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause dashboards to become inaccessible to legitimate users due to invalid ownership assignment.
Cloud Pak Business Automation
CVE-2025-36367 Nov 01, 2025
IBM i 7.2-7.6 SQL Services Auth Check Priv Esc IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host operating system.
I
CVE-2025-36249 Oct 31, 2025
IBM Jazz SM 1.1.3.0-25: Auth Token Cookie Lacks Secure Flag IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Jazz For Service Management
CVE-2025-33003 Oct 31, 2025
IBM InfoSphere InfoServer 11.7.0.0-11.7.1.6 PrivEsc via Unnecc Exec IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow a non-root user to gain higher privileges/capabilities within the scope of a container due to execution with unnecessary privileges.
Infosphere Information Server
CVE-2025-3356 Oct 30, 2025
Path Traversal in IBM Tivoli Monitoring 6.3.0.7 (SP21) via URL IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system.
Tivoli Monitoring
CVE-2025-3355 Oct 30, 2025
IBM Tivoli Monitoring 6.3.0.7 SP21 Remote Dir Traversal via URL IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Tivoli Monitoring
CVE-2025-36137 Oct 30, 2025
IBM Sterling Connect:Direct for Unix before 6.4.0.3 CCD privilege escalation IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
Sterling Connect
CVE-2025-36386 Oct 28, 2025
IBM Maximo Application Suite 9.x Auth Bypass Remote Access IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Maximo Application Suite
CVE-2025-36085 Oct 28, 2025
IBM Concert 1.0.0-2.0.0 SSRF Allows Authenticated Remote Requests IBM Concert 1.0.0 through 2.0.0 Software is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Concert
CVE-2025-36083 Oct 28, 2025
IBM Concert Software 1.0.0-2.0.0 Local User Heap Memory Clear Vulnerability IBM Concert Software 1.0.0 through 2.0.0 could allow a local user to obtain sensitive information from buffers due to improper clearing of heap memory before release.
Concert
Concert Software
CVE-2025-36081 Oct 28, 2025
IBM Concert Software 1.0.0-2.0.0 Log Input Injection Allows Log Modification IBM Concert Software 1.0.0 through 2.0.0 could allow a user to modify system logs due to improper neutralization of log input.
Concert
Concert Software
CVE-2025-33133 Oct 27, 2025
IBM DB2 HP Unload <=6.5 CRASH via OOB Write (auth.) IBM DB2 High Performance Unload 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, and 5.1 could allow an authenticated user to cause the program to crash due an out of bounds write.
Db2 High Performance Unload
CVE-2025-33132 Oct 27, 2025
IBM DB2 HPU Crash via Bad Size Calc (auth) pre-6.5.0.0 IF1 IBM DB2 High Performance Unload 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, and 5.1 could allow an authenticated user to cause the program to crash due to the incorrect calculation of the size of the data that is being pointed to.
Db2 High Performance Unload
Db2
CVE-2025-33131 Oct 27, 2025
IBM DB2 HP Unload 5.x6.5 Buffer Overflow Crash (CVE-2025-33131) IBM DB2 High Performance Unload 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, and 5.1 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack.
Db2 High Performance Unload
CVE-2025-33126 Oct 27, 2025
IBM DB2 HP Unload <6.5> Auth Crash Due to Buffer Size Error IBM DB2 High Performance Unload 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, 5.1, 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, 5.1, 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, 5.1, 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, and 5.1 could allow an authenticated user to cause the program to crash due to the incorrect calculation of a buffer size.
Db2 High Performance Unload
CVE-2025-36138 Oct 27, 2025
IBM QRadar SIEM 7.5-7.5.0 Update Pack 13: Stored XSS in Web UI IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Qradar Siem
CVE-2025-36170 Oct 27, 2025
Stored XSS in IBM QRadar SIEM 7.5 Update Pack 13 (pre-fix) IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Qradar Siem
CVE-2025-36007 Oct 27, 2025
IBM QRadar SIEM 7.5.0 Rogue Privilege Escalation via Update Script IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to privilege escalation due to improper privilege assignment to an update script.
Qradar Siem
CVE-2025-36121 Oct 27, 2025
IBM OpenPages 9.1/9.0 HTML Injection (CVE202536121) IBM OpenPages 9.1 and 9.0 is vulnerable to HTML injection. A remotely authenticated attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Openpages
CVE-2025-36361 Oct 24, 2025
IBM App Connect Enterprise 12-13.0.x Missing Auth: Unauthorized Resource Access IBM App Connect Enterprise 13.0.1.0 through 13.0.4.2, and 12.0.1.0 through 12.0.12.17 could allow an authenticated user to perform unauthorized actions on customer defined resources due to missing authorization.
App Connect Enterprise
CVE-2025-36128 Oct 16, 2025
IBM MQ 9.1-9.4 LTS/9.3-9.4 CD DoS via read timeout bypass IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service.
Mq
CVE-2025-36002 Oct 16, 2025
IBM Sterling B2B Intgr. 6.2.x Credential Exposure IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.
Sterling B2b Integrator
Sterling File Gateway
CVE-2025-2529 Oct 15, 2025
Java Cache Write Degradation in Ehcache 3.x via Unfiltered External Keys Applications using affected versions of Ehcache 3.x can experience degraded cache-write performance if the application using Ehcache utilizes keys sourced from (malicious) external parties in an unfiltered/unsalted way.
Terracotta
CVE-2025-27906 Oct 14, 2025
IBM Content Navigator 3.0.x3.2.0 Directory Listing Disclosure IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified.
Content Navigator
CVE-2025-36087 Oct 13, 2025
IBM Verify Access hardcoded creds v10-11 CVE-2025-36087 IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Security Verify Access
Security Verify Access Docker
CVE-2025-2138 Oct 12, 2025
IBM Doors Next 7.x: Authenticated Comment Deletion via Client-Side Security Gap IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete comments from other users due to client-side enforcement of server-side security.
Engineering Requirements Management Doors Next
CVE-2025-2139 Oct 12, 2025
Auth deletion of reviews via client-side enforcement in IBM Doors Next 7.0.2-7.1 IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete reviews from other users due to client-side enforcement of server-side security.
Engineering Requirements Management Doors Next
CVE-2025-2140 Oct 12, 2025
IBM Doors Next 7.0.2-7.1 Email Spoof via Unverified Sender Source (CVE-2025-2140) IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to spoof email identity of the sender due to improper verification of source data.
Engineering Requirements Management Doors Next
Doors Next
CVE-2025-33096 Oct 12, 2025
IBM Doors Next 7.0.x: Authenticated DoS via Recursive File Upload IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.
Engineering Requirements Management Doors Next
Doors Next
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.