IBM Aspera Orchestrator
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Aspera Orchestrator.
By the Year
In 2026 there have been 2 vulnerabilities in IBM Aspera Orchestrator with an average score of 5.7 out of ten. Last year, in 2025 Aspera Orchestrator had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Aspera Orchestrator in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.80
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 5.65 |
| 2025 | 4 | 7.45 |
| 2024 | 5 | 6.30 |
It may take a day or so for new Aspera Orchestrator vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Aspera Orchestrator Security Vulnerabilities
IBM Aspera Orchestrator 3.0.0-4.1.2 HTTP Header Injection
CVE-2025-13213
5.4 - Medium
- March 10, 2026
IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking
Improper Neutralization of HTTP Headers for Scripting Syntax
IBM Aspera Orchestrator URL Params 34.1.x Info Disclosure
CVE-2025-13219
5.9 - Medium
- March 10, 2026
IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
Use of GET Request Method With Sensitive Query Strings
IBM Aspera Orchestrator SQLi (4.0.04.1.0)
CVE-2025-13214
7.6 - High
- December 11, 2025
IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
SQL Injection
Authenticated user can change another's password in IBM Aspera Orchestrator 4.x
CVE-2025-13148
8.1 - High
- December 11, 2025
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.
Unverified Password Change
IBM Aspera Orchestrator 4.0.0-4.1.0 Auth Command Exec via Input Validat Abuse
CVE-2025-13481
8.8 - High
- December 11, 2025
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input.
Shell injection
IBM Aspera Orchestrator 4.0.0-4.1.0 Email DO via Frequency Control
CVE-2025-13211
5.3 - Medium
- December 11, 2025
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
Insufficient anti-automation
IBM Aspera Orchestrator 4.0.1 XSRF vulnerability
CVE-2023-38001
6.5 - Medium
- July 30, 2024
IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260206.
Session Riding
IBM Aspera Orchestrator 4.0.1: HTTP/Host Header Injection (XSS, Cache Poisoning)
CVE-2023-26289
5.4 - Medium
- July 30, 2024
IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 248478.
Output Sanitization
IBM Aspera Orchestrator 4.0.1 session invalidation flaw allows impersonation
CVE-2023-26288
5.5 - Medium
- July 30, 2024
IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.
Insufficient Session Expiration
IBM Aspera Orchestrator 4.0.1 Username Enumeration via Response Discrepancies
CVE-2023-27283
5.3 - Medium
- May 04, 2024
IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545.
Side Channel Attack
IBM Aspera Orchestrator 4.0.1 Authenticated Remote Cmd Exec via crafted request
CVE-2023-37407
8.8 - High
- May 03, 2024
IBM Aspera Orchestrator 4.0.1 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 260116.
Shell injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Aspera Orchestrator or by IBM? Click the Watch button to subscribe.
