IBM Cognos Controller
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Cognos Controller.
By the Year
In 2026 there have been 0 vulnerabilities in IBM Cognos Controller. Last year, in 2025 Cognos Controller had 18 security vulnerabilities published. Right now, Cognos Controller is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 18 | 5.94 |
| 2024 | 20 | 6.93 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 7.20 |
| 2019 | 9 | 4.96 |
It may take a day or so for new Cognos Controller vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Cognos Controller Security Vulnerabilities
IBM Cognos Controller <11.1.2> Validation Bypass via ClientSide Enforce
CVE-2025-36102
2.7 - Low
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security.
Client-Side Enforcement of Server-Side Security
IBM Controller/Cognos Controller v11.* Temp File Creation Race
CVE-2025-33111
4.3 - Medium
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.
Creation of Temporary File in Directory with Insecure Permissions
IBM Controller 11.1.0-11.1.1 Authenticated DoS via Quantity Size Validation
CVE-2025-36015
6.5 - Medium
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.
Improper Validation of Specified Quantity in Input
IBM Cognos Controller 11.0.0-11.1.1 Hardcoded Key Session Cookie Leak
CVE-2025-36326
3.7 - Low
- September 26, 2025
IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.
Use of Hard-coded Cryptographic Key
IBM Controller 11.x Authenticated Credentials Exposure via Source Code
CVE-2025-33079
6.5 - Medium
- May 27, 2025
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.
Insufficiently Protected Credentials
IBM Cognos Controller 11.x XSS via Client-Side Desync (CSD)
CVE-2022-39163
4.7 - Medium
- March 26, 2025
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.
HTTP Request Smuggling
IBM Cognos Controller <=11.0.1 FP3, 11.1.0: XXE XML External Entity Injection
CVE-2023-47160
8.2 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
XXE
IBM Cognos Controller 11.0.0-11.1.0 Unrestricted Deserialization
CVE-2024-28777
8.8 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.
Marshaling, Unmarshaling
Formula Injection in IBM Cognos Controller 11.0.011.1.0
CVE-2024-45084
8 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
CSV Injection
IBM Cognos Controller 11.x XSS in Web UI before 11.1.0 FP3
CVE-2024-28776
5.4 - Medium
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
Auth Flaw in IBM Cognos Controller 11.0.0-11.1.0: modify restricted content
CVE-2024-45081
6.5 - Medium
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated user to modify restricted content due to incorrect authorization checks.
AuthZ
IBM Cognos Ctrl 11.0.0-11.1.0 Weak Crypto Exposes Sensitive Data
CVE-2024-28780
5.9 - Medium
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
Hardcoded DB passwords in IBM Cognos Controller 11.x unauthorized access
CVE-2024-52902
8.8 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.
Use of Hard-coded Credentials
IBM Cognos Controller 11.0.x Improper Cert Validation Enables Token Theft
CVE-2024-40702
8.2 - High
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.
Improper Certificate Validation
IBM Cognos Controller 11.0-11.1.0 Exposes Artifactory API Keys
CVE-2024-28778
6.5 - Medium
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization.
Use of Hard-coded Credentials
IBM Cognos Controller 11.011.1 Stack Trace Info Disclosure
CVE-2024-25037
4.3 - Medium
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.
Generation of Error Message Containing Sensitive Information
IBM Cognos Controller 11.* RCE: Info Leak via Error Msg
CVE-2022-22363
4.3 - Medium
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cognos Controller 11.0.011.0.1 Remote Info Disclosure via Error Message
CVE-2021-20455
3.7 - Low
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
Authenticated File Upload in IBM Cognos Controller 11.0.0-11.0.1
CVE-2024-45676
4.3 - Medium
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user to upload insecure files, due to insufficient file type distinction.
Insufficient Type Distinction
IBM Cognos Controller 11.0.0-11.0.1 Hard-Coded Credentials
CVE-2024-41777
7.5 - High
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Use of Hard-coded Credentials
IBM Cognos Controller 11.0.x CSRF (CVE202441776)
CVE-2024-41776
6.5 - Medium
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Session Riding
IBM Cognos Controller 11.x Insecure Crypto Enables Data Decrypt
CVE-2024-41775
7.5 - High
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
IBM Cognos Controller 11.0.0/11.0.1 Unrestricted File Upload in Journal
CVE-2024-25020
9.8 - Critical
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable files into the system and can be sent to victims for performing further attacks.
Unrestricted File Upload
IBM Cognos Controller 11.0.1 HTTP HSTS Misconfig Remote Info Disclosure
CVE-2021-29892
5.9 - Medium
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Cleartext Transmission of Sensitive Information
IBM Cognos Controller 11.x File Upload Vulnerability in Journal Attachments
CVE-2024-25019
9.8 - Critical
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the type of file uploaded to Journal entry attachments. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.
Unrestricted File Upload
IBM Cognos Controller 11.0 Server Info Disclosure (CVE-2024-25035)
CVE-2024-25035
5.3 - Medium
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 exposes server details that could allow an attacker to obtain information of the application environment to conduct further attacks.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Cognos Controller 11.0.x Input Field Restriction Bypass
CVE-2024-25036
3.3 - Low
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user with local access to bypass security allowing users to circumvent restrictions imposed on input fields.
Authentication Bypass Using an Alternate Path or Channel
IBM Cognos Controller 11.0.x File Upload (No Validation) Vulnerability
CVE-2024-40691
9.8 - Critical
- December 03, 2024
IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
Unrestricted File Upload
IBM Cognos Controller 10.4.1-11.0.0 Remote SQL Injection
CVE-2021-20451
7.2 - High
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643.
SQL Injection
IBM Cognos Controller 10.4.111.0.0: ServerSide Interaction Vulnerability
CVE-2022-22364
5.3 - Medium
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903.
Authentication Bypass by Spoofing
IBM Cognos Controller 10.4.x-11.0.0 Session Logout Bug -> Impersonation
CVE-2023-40695
8.8 - High
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 264938.
Insufficient Session Expiration
IBM Cognos Controller 10.4.x/11.0.0 Logging Injection via Unsanitized Input
CVE-2023-28952
5.3 - Medium
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463.
Output Sanitization
IBM Cognos Controller 10/11 SQLi Remote, BackEnd DB Access
CVE-2023-38724
9.8 - Critical
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 262183.
SQL Injection
IBM Cognos Controller 10.4.1/10.4.2/11.0.0: Username Enumeration via Error Differ
CVE-2021-20556
5.3 - Medium
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.
Side Channel Attack
IBM Cognos Controller 10.4.1-11.0.0 Info Leak via Stack Trace
CVE-2023-23474
5.3 - Medium
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 245403.
Generation of Error Message Containing Sensitive Information
IBM Cognos Controller 10.4.x/11.0 Weak Crypto Decrypt Vulnerability
CVE-2023-40696
7.5 - High
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 264939.
Use of a Broken or Risky Cryptographic Algorithm
IBM Cognos Ctrl 10.4/11.0: Session Cookie Secure Flag Missing
CVE-2021-20450
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 196640.
Weak Crypto in IBM Cognos Controller 10.4.x/11.0.0 Allows Data Decryption
CVE-2020-4874
7.5 - High
- May 03, 2024
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 190837.
Use of a Broken or Risky Cryptographic Algorithm
A low level user of IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, 10.4.1, and 10.4.2 who has Administration rights to the server where the application is installed, can escalate their privilege
CVE-2020-4685
7.2 - High
- November 11, 2020
A low level user of IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, 10.4.1, and 10.4.2 who has Administration rights to the server where the application is installed, can escalate their privilege from Low level to Super Admin and gain access to Create/Update/Delete any level of user in Cognos Controller. IBM X-Force ID: 186625.
Improper Privilege Management
IBM Cognos Controller stores sensitive information in URL parameters
CVE-2019-4412
5.3 - Medium
- November 09, 2019
IBM Cognos Controller stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 162659.
Information Disclosure
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 could
CVE-2019-4411
4.3 - Medium
- November 09, 2019
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names. IBM X-Force ID: 162658.
Use of Insufficiently Random Values
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms
CVE-2019-4175
7.5 - High
- September 17, 2019
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158880.
Inadequate Encryption Strength
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 does not set the secure attribute on authorization tokens or session cookies
CVE-2019-4171
3.7 - Low
- September 17, 2019
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 158876.
Missing Encryption of Sensitive Data
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting
CVE-2019-4136
5.4 - Medium
- June 17, 2019
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.
XSS
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0
CVE-2019-4177
3.3 - Low
- June 17, 2019
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 158882.
Improper Privilege Management
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could
CVE-2019-4176
5.3 - Medium
- June 17, 2019
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to bypass security restrictions, caused by an error related to insecure HTTP Methods. An attacker could exploit this vulnerability to gain access to the system. IBM X-Force ID: 158881.
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0
CVE-2019-4174
3.3 - Low
- June 17, 2019
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 158879.
Improper Privilege Management
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could
CVE-2019-4173
6.5 - Medium
- June 17, 2019
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to obtain sensitive information, caused by a flaw in the HTTP OPTIONS method, aka Optionsbleed. By sending an OPTIONS HTTP request, a remote attacker could exploit this vulnerability to read secret data from process memory and obtain sensitive information. IBM X-Force ID: 158878.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Cognos Controller or by IBM? Click the Watch button to subscribe.
