IBM IBM

  1. Vendors
  2. IBM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any IBM product.

RSS Feeds for IBM security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in IBM products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by IBM Sorted by Most Security Vulnerabilities since 2018

IBM I290 vulnerabilities

IBM Infosphere Information Server140 vulnerabilities

IBM WebSphere Application Server136 vulnerabilities

IBM Sterling B2b Integrator133 vulnerabilities

IBM Rational Quality Manager132 vulnerabilities

IBM Db2127 vulnerabilities

IBM Aix124 vulnerabilities

IBM Cognos Analytics95 vulnerabilities

IBM Rational Doors Next Generation95 vulnerabilities

IBM Rational Collaborative Lifecycle Management89 vulnerabilities

IBM Security Guardium84 vulnerabilities

IBM Rational Engineering Lifecycle Manager81 vulnerabilities

IBM Security Verify Access80 vulnerabilities

IBM Maximo Asset Management78 vulnerabilities

IBM Api Connect75 vulnerabilities

IBM Vios73 vulnerabilities

IBM Qradar Security Information Event Manager69 vulnerabilities

IBM Mq67 vulnerabilities

IBM Rational Team Concert65 vulnerabilities

IBM Concert53 vulnerabilities

IBM Sterling File Gateway52 vulnerabilities

IBM Business Automation Workflow51 vulnerabilities

IBM Security Access Manager49 vulnerabilities

IBM Cloud Pak For Security48 vulnerabilities

IBM Cognos Controller48 vulnerabilities

IBM Security Verify Access Docker48 vulnerabilities

IBM Rational Rhapsody Design Manager47 vulnerabilities

IBM Aspera Faspex44 vulnerabilities

IBM Spectrum Scale42 vulnerabilities

IBM Urbancode Deploy42 vulnerabilities

IBM Planning Analytics41 vulnerabilities

IBM Mq Appliance41 vulnerabilities

IBM Security Key Lifecycle Manager41 vulnerabilities

IBM Robotic Process Automation40 vulnerabilities

IBM Security Identity Governance Intelligence37 vulnerabilities

IBM Engineering Lifecycle Optimization Publishing36 vulnerabilities

IBM Engineering Lifecycle Optimization34 vulnerabilities

IBM Business Process Manager33 vulnerabilities

IBM Rational Software Architect Design Manager32 vulnerabilities

IBM Maximo Application Suite32 vulnerabilities

IBM Planning Analytics Local31 vulnerabilities

IBM Cics Tx31 vulnerabilities

IBM Engineering Lifecycle Management31 vulnerabilities

IBM Qradar Siem29 vulnerabilities

IBM Jazz Reporting Service29 vulnerabilities

IBM Spectrum Protect Plus27 vulnerabilities

IBM Cloud Pak System27 vulnerabilities

IBM Content Navigator27 vulnerabilities

IBM Financial Transaction Manager26 vulnerabilities

IBM Engineering Test Management25 vulnerabilities

IBM Engineering Workflow Management25 vulnerabilities

IBM Cloud Pak Business Automation24 vulnerabilities

IBM Qradar Suite23 vulnerabilities

IBM Concert Software23 vulnerabilities

IBM Security Identity Manager22 vulnerabilities

IBM Infosphere Information Server On Cloud22 vulnerabilities

IBM Openpages With Watson22 vulnerabilities

IBM Spectrum Protect21 vulnerabilities

IBM Bigfix Platform20 vulnerabilities

IBM Robotic Process Automation Cloud Pak20 vulnerabilities

IBM Controller20 vulnerabilities

IBM Curam Social Program Management20 vulnerabilities

IBM Security Verify Information Queue19 vulnerabilities

IBM Websphere Mq19 vulnerabilities

IBM Sterling Secure Proxy19 vulnerabilities

IBM Sterling Partner Engagement Manager19 vulnerabilities

IBM Aspera Console18 vulnerabilities

IBM Websphere Portal18 vulnerabilities

IBM Security Verify Governance18 vulnerabilities

IBM Security Secret Server18 vulnerabilities

IBM Informix Dynamic Server18 vulnerabilities

IBM Engineering Lifecycle Optimization Engineering Insights18 vulnerabilities

IBM App Connect Enterprise17 vulnerabilities

IBM Security Qradar Edr16 vulnerabilities

IBM Aspera Shares16 vulnerabilities

IBM Security Guardium Key Lifecycle Manager16 vulnerabilities

IBM Security Directory Server16 vulnerabilities

IBM Powervm Hypervisor16 vulnerabilities

IBM Datacap16 vulnerabilities

IBM Applinx15 vulnerabilities

IBM Datacap Navigator15 vulnerabilities

IBM Txseries For Multiplatforms14 vulnerabilities

IBM Jazz For Service Management14 vulnerabilities

IBM Control Desk14 vulnerabilities

IBM Doors Next14 vulnerabilities

IBM Engineering Requirements Management Doors Next13 vulnerabilities

Known Exploited IBM Vulnerabilities

The following IBM vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
CVE-2022-47986 Exploit Probability: 94.3% 		February 21, 2023
IBM InfoSphere BigInsights Invalid Input Vulnerability Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data.
CVE-2013-3993 Exploit Probability: 21.0% 		May 25, 2022
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands
CVE-2015-7450 Exploit Probability: 93.3% 		January 10, 2022
IBM Data Risk Manager Arbritary File Download IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
CVE-2020-4430 Exploit Probability: 83.8% 		November 3, 2021
IBM Data Risk Manager Authentication Bypass IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
CVE-2020-4427 Exploit Probability: 92.7% 		November 3, 2021
IBM Data Risk Manager Command Injection IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
CVE-2020-4428 Exploit Probability: 92.3% 		November 3, 2021
IBM Planning Analytics configuration overwrite vulnerability IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
CVE-2019-4716 Exploit Probability: 93.4% 		November 3, 2021

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2013-3993: IBM InfoSphere BigInsights Invalid Input Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 186 vulnerabilities in IBM with an average score of 5.8 out of ten. Last year, in 2025 IBM had 563 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in IBM in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.41




Year Vulnerabilities Average Score
2026 186 5.84
2025 563 6.26
2024 503 6.44
2023 357 6.80
2022 327 6.36
2021 443 6.10
2020 353 6.19
2019 454 6.14
2018 451 6.24

It may take a day or so for new IBM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent IBM Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-4788 Apr 08, 2026
IBM Tivoli Netcool Impact 7.1.0.x Log File Info Disclosure to Local User IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user.
Tivoli Netcool Impact
CVE-2026-3357 Apr 08, 2026
IBM Langflow Desktop 1.6.0-1.8.2 FAISS Deserialization AoC Exec (Auth) IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Langflow Desktop
CVE-2026-1346 Apr 08, 2026
IBM Verify Access Privilege Escalation (Local) 10.0-10.0.9.1/11.0-11.0.2 IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-1343 Apr 08, 2026
IBM Verify Identity Access/10.0-10.0.9.1 Reverse Proxy Bypass IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-1342 Apr 07, 2026
IBM Verify Identity Access Container <=11.0.2: Local Auth Script Injection IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2025-13044 Apr 07, 2026
IBM Concert 1-2.2.0 Temp Files with Predictable Names Enable Local Symlink Overwrite IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.
Concert
CVE-2026-1243 Apr 02, 2026
IBM Content Navigator 3.x XSS via Authenticated Web UI (3.0.153.2.0) IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Content Navigator
CVE-2025-66487 Apr 01, 2026
IBM Aspera Shares 1.9.9-1.11.0 Improper Email Rate Limiting (CVE-2025-66487) IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service.
Aspera Shares
CVE-2025-66486 Apr 01, 2026
IBM Aspera Shares 1.9.9-1.11.0 HTML Injection Allowing XSS in Web UI IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Aspera Shares
CVE-2025-66485 Apr 01, 2026
IBM Aspera Shares 1.9.9-1.11.0 HTTP Header Injection Affecting XSS & Cache Poison IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Aspera Shares
CVE-2025-66484 Apr 01, 2026
IBM Aspera Shares XSS in Web UI 1.9.9-1.11.0 IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Aspera Shares
CVE-2025-66483 Apr 01, 2026
IBM Aspera Shares 1.9.91.11.0 Session Invalidation Missing Post Pwd Reset Impersonate IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
Aspera Shares
CVE-2025-36375 Apr 01, 2026
IBM DataPower Gateway 10.x CSRF Vulnerability (10.5.0-10.6.5) IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Datapower Gateway 106cd
Datapower Gateway 1050
Datapower Gateway 1060
And others...
CVE-2026-2475 Apr 01, 2026
Open Redirect in IBM Verify Identity Access & Security Verify Access 10-11 IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-4820 Apr 01, 2026
IBM Maximo Suite 9.1/9.0/8.11/8.10: Session Cookie Secure Flag Missing IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Maximo Application Suite
CVE-2025-36373 Apr 01, 2026
IBM DataPower Gateway <=10.6.5.0 Admin Info Disclosure IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
Datapower Gateway 106cd
Datapower Gateway 1050
Datapower Gateway 1060
And others...
CVE-2025-13916 Apr 01, 2026
IBM Aspera Shares 1.9.91.11.0 Weak Crypto Allows Decryption IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
Aspera Shares
CVE-2026-1491 Apr 01, 2026
IBM Verify Access Proxy HTTP Interpretation Flaw (v10.0-10.0.9.1, v11.0-11.0.2) IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-2862 Apr 01, 2026
Remote Info Disclosure in IBM Verify Access via Proxy (before 10.0.9.1) IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-1345 Apr 01, 2026
IBM Verify/Verify Access v10-11 exec cmd via input validation IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow an unauthenticated user to execute arbitrary commands as lower user privileges on the system due to improper validation of user supplied input.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-4101 Apr 01, 2026
IBM Verify Access/Container before 11.0.3/10.0.9.2 Auth Bypass Under Load IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2026-4364 Apr 01, 2026
IBM Verify Access XSS via JSON MIME type mismatch in 10.0-11.0.2 IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows certificate listings retrieved via a browser session to return a JSON payload while incorrectly specifying the response Content-Type as text/html. Because the content is delivered with an HTML MIME type, browsers may interpret the JSON data as executable script under certain conditions. This creates an opportunity for JavaScript injection, potentially leading to cross-site scripting (XSS).
Verify Identity Access Container
Security Verify Access Container
Verify Identity Access
And others...
CVE-2025-13855 Apr 01, 2026
IBM Storage Protect 8.2.0 Remote SQLi via Web UI IBM Storage Protect Server 8.2.0 IBM Storage Protect Plus Server is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Storage Protect Server
CVE-2025-36187 Mar 25, 2026
IBM Knowledge Catalog Logs Sensitive Data to Local Privileged User (5.0.0-5.2.1) IBM Knowledge Catalog Standard Cartridge 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5,1.2, 5.1.3, 5.2.0, 5.2.1 stores potentially sensitive information in log files that could be read by a local privileged user.
Knowledge Catalog Standard Cartridge
CVE-2025-14684 Mar 25, 2026
IBM Maximo Monitor Log Injection 8.10-9.1 (CVE-2025-14684) IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files.
Maximo Application Suite Monitor Component
CVE-2025-14807 Mar 25, 2026
IBM InfoSphere Information Server 11.7.x Host Header Injection IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Infosphere Information Server
CVE-2026-1015 Mar 25, 2026
IBM InfoSphere InfoServer 11.7.x SSRF via Outbound Requests IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Infosphere Information Server
CVE-2026-1014 Mar 25, 2026
IBM InfoSphere IS 11.7 JSON Response Info Leakage IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exposure of sensitive information via JSON server response manipulation.
Infosphere Information Server
CVE-2026-2483 Mar 25, 2026
IBM InfoSphere InfoServer XSS via Web UI Before 11.7.1.6 (CVE20262483) IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session
Infosphere Information Server
CVE-2025-64648 Mar 25, 2026
IBM Concert 1.0.0-2.2.0 Transmits Data in Clear Text (MITM Risk) IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
Concert
CVE-2025-64647 Mar 25, 2026
IBM Concert 1.0.0-2.2.0 Crypto Weakness: Decrypt Sensitive Data IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
Concert
CVE-2026-2484 Mar 25, 2026
IBM InfoSphere InfoServer 11.7.x Info Exposure via Verbose Errors IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information exposure vulnerability caused by overly verbose error messages
Infosphere Information Server
CVE-2025-64646 Mar 25, 2026
IBM Concert 1.0-2.2 Buffer Clear Bypass (CVE-2025-64646) IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Concert
CVE-2025-36440 Mar 25, 2026
IBM Concert 1.02.2: Local Data Leak via Missing FLAC IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.
Concert
CVE-2025-36438 Mar 25, 2026
IBM Concert 2.2.0 Privileged User Channel Misrestriction Vulnerability IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.
Concert
CVE-2025-36422 Mar 25, 2026
CSRF in IBM InfoSphere DataStage Flow Designer v11.7.0.011.7.1.6 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 IBM InfoSphere DataStage Flow Designer is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Infosphere Information Server
CVE-2025-36258 Mar 25, 2026
IBM InfoSphere IS 11.7.x Plain-Text Credential Storage Local Privilege Escalation IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user credentials and other sensitive information in plain text which can be read by a local user.
Infosphere Information Server
CVE-2026-2485 Mar 25, 2026
Infosphere IS 11.7.x Web UI XSS (stored) - Arbitrary JS exec IBM Infosphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Infosphere Information Server
CVE-2025-14974 Mar 25, 2026
IDOR in IBM InfoSphere Information Server < 11.7.1.7 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).
Infosphere Information Server
CVE-2026-1262 Mar 25, 2026
IBM InfoSphere Info Server 11.7 Info Disclosure (CVE-2026-1262) IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.
Infosphere Information Server
CVE-2025-14917 Mar 25, 2026
IBM WebSphere App Server Liberty 17.0.0.3-26.0.0.3 Admin Security Weakness IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
Websphere Application Server Liberty
CVE-2025-14912 Mar 25, 2026
SSRF in IBM InfoSphere Info Server 11.7.0.0-11.7.1.6 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Infosphere Information Server
CVE-2025-14915 Mar 25, 2026
Privilege Escalation in IBM WebSphere AppSrv Liberty 17.0.0.3-26.0.0.3 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.
Websphere Application Server Liberty
CVE-2025-14810 Mar 25, 2026
IBM InfoSphere Info Server 11.7.0.0-11.7.1.6: Session Expiration Lapse IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Infosphere Information Server
CVE-2026-1561 Mar 25, 2026
SSRF in IBM WebSphere Application Server Liberty 17.0.0.3-26.0.0.3 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
WebSphere Application Server
CVE-2025-14808 Mar 25, 2026
IBM InfoSphere IS v11.7.0.0-11.7.1.6 Info Leak via HTTP GET Query IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
Infosphere Information Server
CVE-2025-14790 Mar 25, 2026
IBM InfoSphere Info Server 11.7.*: Unprotected credentials expose sensitive data IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information due to insufficiently protected credentials.
Infosphere Information Server
CVE-2025-12708 Mar 25, 2026
IBM Concert 1.0.0-2.2.0 Hardc Creds Local User Access IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Concert
CVE-2025-36051 Mar 19, 2026
IBM QRadar SIEM 7.5.0-14 Local User Info Disclosure in config files IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user.
Qradar Security Information Event Manager
CVE-2025-13995 Mar 19, 2026
IBM QRadar SIEM 7.5.0 UpdatePkg14 Cross-Tenant Hostname Data Leak IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 could allow an attacker with access to one tenant to access hostname data from another tenant's account.
Qradar Security Information Event Manager
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.