IBM Concert
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Concert.
By the Year
In 2026 there have been 11 vulnerabilities in IBM Concert with an average score of 6.2 out of ten. Last year, in 2025 Concert had 24 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Concert in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.10.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 11 | 6.23 |
| 2025 | 24 | 6.13 |
| 2024 | 8 | 6.86 |
It may take a day or so for new Concert vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Concert Security Vulnerabilities
IBM Concert 1.0.0-2.1.0 Local Privilege Escalation via Incorrect File Permissions
CVE-2025-33088
7.4 - High
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file permissions for critical resources.
Incorrect Permission Assignment for Critical Resource
IBM Concert 1.0.0-2.1.0 weak crypto enables decryption
CVE-2024-43178
5.9 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
XSRF in IBM Concert Z hub 1.0.02.1.0
CVE-2025-36018
6.5 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Session Riding
CVE-2025-36019: IBM Concert, Z Hub Framework XSS (1.0.0-2.1.0)
CVE-2025-36019
6.1 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Concert HTTP Header Injection (HOST) 1.02.1
CVE-2024-51451
6.5 - Medium
- February 04, 2026
IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Improper Neutralization of HTTP Headers for Scripting Syntax
IBM Concert 1.0.0-2.1.0: Session Invalidation Missing After Logout
CVE-2024-43181
6.3 - Medium
- February 04, 2026
IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
Insufficient Session Expiration
IBM Concert 1.0-2.1 Sensitive Data Logged Locally
CVE-2025-33081
3.3 - Low
- February 03, 2026
IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user.
Cleartext Storage of Sensitive Information
IBM Concert 1.0.0-2.1.0 Weak Crypto Decryption Risk
CVE-2025-36253
5.9 - Medium
- February 02, 2026
IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a One-Way Hash without a Salt
IBM Concert 1.0.0-2.1.0: Malicious File Upload Vulnerability
CVE-2025-33015
8.8 - High
- January 20, 2026
IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.
Unrestricted File Upload
IBM Concert 1.0.0-2.1.0 Heap Memory Leak via Improper Clearing
CVE-2025-1722
5.9 - Medium
- January 20, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Heap Inspection
IBM Concert 1.0.0-2.1.0 Heap Info Leak via Improper Clearing
CVE-2025-1719
5.9 - Medium
- January 20, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Heap Inspection
IBM Concert 2.1.0 Local Priv Esc via Symlink Race
CVE-2025-64645
7.7 - High
- December 26, 2025
IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
TOCTTOU
IBM Concert 1.0.0-2.1.0 Stack-Based Buffer Overflow (buf overrun)
CVE-2025-12771
7.8 - High
- December 26, 2025
IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
Buffer Overflow
IBM Concert 1.0.0-2.1.0 Remote Heap Memory Disclosure via Improper Clearing
CVE-2025-1721
5.9 - Medium
- December 26, 2025
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Heap Inspection
IBM Concert 1.0.0-2.1.0 cleartext creds in recursive docker builds - local user
CVE-2025-36154
6.2 - Medium
- December 24, 2025
IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.
Cleartext Storage in a File or on Disk
IBM Concert 1.0.0-2.0.0 Weak Crypto Enables Decryption Attack
CVE-2025-36150
5.9 - Medium
- November 24, 2025
IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Soft 1.0-2.0 Remote Click Hijacking Vulner
CVE-2025-36149
6.3 - Medium
- November 21, 2025
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
Clickjacking
IBM Concert XSS 1.0.0-2.0.0: JS code injection in Web UI
CVE-2025-36153
6.1 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Concert 1.0.0-2.0.0 Local User Sensitive File Leak via Recursive Copy
CVE-2025-36158
5.1 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
Stack Exhaustion
IBM Concert 1.0.0-2.0.0 Log Forgery via Improper Neutralization
CVE-2025-36159
6.2 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
Improper Output Neutralization for Logs
IBM Concert 1.0.0-2.0.0 Server Info Disclosure from HTTP Headers
CVE-2025-36160
5.3 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Concert HSTS Misconfiguration Allowing Remote Info Exposure 1.0.0-2.0.0
CVE-2025-36161
5.9 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert 1.0.0-2.0.0 SSRF Allows Authenticated Remote Requests
CVE-2025-36085
5.4 - Medium
- October 28, 2025
IBM Concert 1.0.0 through 2.0.0 Software is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
SSRF
IBM Concert Software 1.0.0-2.0.0 Local User Heap Memory Clear Vulnerability
CVE-2025-36083
6.2 - Medium
- October 28, 2025
IBM Concert Software 1.0.0 through 2.0.0 could allow a local user to obtain sensitive information from buffers due to improper clearing of heap memory before release.
Heap Inspection
IBM Concert Software 1.0.0-2.0.0 Log Input Injection Allows Log Modification
CVE-2025-36081
5.3 - Medium
- October 28, 2025
IBM Concert Software 1.0.0 through 2.0.0 could allow a user to modify system logs due to improper neutralization of log input.
Improper Output Neutralization for Logs
Remote Directory Traversal in IBM Concert Software 1.0.0-1.0.5
CVE-2024-55913
5.3 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Directory traversal
Weak Crypto in IBM Concert Software 1.0.0-1.0.5 Enables Decryption of Sensitive Data
CVE-2024-55912
5.9 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Software 1.0.0-1.0.5 SSRF Vulnerability
CVE-2024-55910
6.5 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
SSRF
IBM Concert Software 1.0.0-1.0.5 Archive Expansion DoS
CVE-2024-55909
6.5 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 could allow an authenticated user to cause a denial of service due to the expansion of archive files without controlling resource consumption.
Data Amplification
IBM Concert Software 1.0.0-1.0.1 Remote Info Leak via HSTS Misconfig
CVE-2024-41757
5.9 - Medium
- January 24, 2025
IBM Concert Software 1.0.0 and 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Cleartext Transmission of Sensitive Information
IBM Concert 1.0.0-1.0.2 Sensitive Info Disclosure via API
CVE-2024-49354
7.5 - High
- January 18, 2025
IBM Concert 1.0.0, 1.0.1, and 1.0.2 is vulnerable to sensitive information disclosure through specially crafted API Calls.
Exposure of Sensitive Information Due to Incompatible Policies
IBM Concert Software 1.0.0-1.0.3: Remote Info Disclosure via HSTS Misconfig
CVE-2024-52366
5.9 - Medium
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Use of a Broken or Risky Cryptographic Algorithm
IBM ConcertSoftware 1.0.x Info Leak via Detailed Error Message
CVE-2024-52893
5.3 - Medium
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Concert Soft 1.0.01.0.3 Log Neutralization Bypass Auth Info Disclosure
CVE-2024-52891
5.4 - Medium
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization.
Improper Output Neutralization for Logs
IBM Concert Software 1.0.x Info Disclosure via Unauthorized Actor
CVE-2024-52367
7.5 - High
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Concert Software SQL Injection Vulnerability
CVE-2024-52360
9.8 - Critical
- November 19, 2024
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
SQL Injection
IBM Concert Software: Improper Access Control Vulnerability
CVE-2024-52359
8.8 - High
- November 19, 2024
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to perform unauthorized actions that should be reserved to administrator used due to improper access controls.
Incorrect User Management
IBM Concert Software: Authenticated User Information Disclosure Vulnerability
CVE-2024-37070
6.5 - Medium
- November 19, 2024
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to obtain sensitive information that could aid in further attacks against the system.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Concert Software 1.0.0-1.0.1 HSTS Neg Remote Info Disclosure
CVE-2024-43189
5.9 - Medium
- November 15, 2024
IBM Concert Software 1.0.0 through 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Software XSS via Web UI v1.0.0-1.0.1
CVE-2024-41785
6.1 - Medium
- November 15, 2024
IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Concert v1.0.0/1.0.1 CSRF: no SameSite cookie
CVE-2024-43177
9.8 - Critical
- October 22, 2024
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.
Improper Certificate Validation
IBM Concert 1.0.0/1.0.1: No SameSite Cookie (CSRF)
CVE-2024-43173
3.7 - Low
- October 22, 2024
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.
Sensitive Cookie with Improper SameSite Attribute
IBM Concert 1.0 Secure Cookie Attribute Missing in Auth Tokens
CVE-2024-43180
4.3 - Medium
- September 13, 2024
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Cleartext Transmission of Sensitive Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Concert or by IBM? Click the Watch button to subscribe.
