IBM Concert
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Concert.
By the Year
In 2026 there have been 20 vulnerabilities in IBM Concert with an average score of 6.0 out of ten. Last year, in 2025 Concert had 24 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Concert in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.09
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 20 | 6.04 |
| 2025 | 24 | 6.13 |
| 2024 | 8 | 6.86 |
It may take a day or so for new Concert vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Concert Security Vulnerabilities
IBM Concert 1.0.0-2.2.0 Transmits Data in Clear Text (MITM Risk)
CVE-2025-64648
5.9 - Medium
- March 25, 2026
IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
Cleartext Transmission of Sensitive Information
IBM Concert 1.0.0-2.2.0 Crypto Weakness: Decrypt Sensitive Data
CVE-2025-64647
5.9 - Medium
- March 25, 2026
IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
Use of a Risky Cryptographic Primitive
IBM Concert 1.0-2.2 Buffer Clear Bypass (CVE-2025-64646)
CVE-2025-64646
6.2 - Medium
- March 25, 2026
IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Compiler Removal of Code to Clear Buffers
IBM Concert 1.02.2: Local Data Leak via Missing FLAC
CVE-2025-36440
5.1 - Medium
- March 25, 2026
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.
Insufficiently Protected Credentials
IBM Concert 2.2.0 Privileged User Channel Misrestriction Vulnerability
CVE-2025-36438
5.1 - Medium
- March 25, 2026
IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.
Improper Restriction of Communication Channel to Intended Endpoints
IBM Concert 1.0.0-2.2.0 Hardc Creds Local User Access
CVE-2025-12708
6.2 - Medium
- March 25, 2026
IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Use of Hard-coded Credentials
IBM Concert 1.0.0-2.1.0 Local Privilege Escalation via Incorrect File Permissions
CVE-2025-33088
7.4 - High
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file permissions for critical resources.
Incorrect Permission Assignment for Critical Resource
IBM Concert 1.0-2.1.0 Heap Memory Info Leak via MITM
CVE-2025-33101
5.9 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 could allow an attacker to obtain sensitive information using man in the middle techniques due to improper clearing of heap memory.
Heap Inspection
IBM Concert <=2.1.0 HardCoded Credentials Remote Info Disclosure
CVE-2025-33089
6.5 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.
Use of Hard-coded Credentials
SSRF in IBM Concert 1.0.02.1.0
CVE-2025-36243
5.4 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
SSRF
IBM Concert 1.0.0-2.1.0 weak crypto enables decryption
CVE-2024-43178
5.9 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
XSRF in IBM Concert Z hub 1.0.02.1.0
CVE-2025-36018
6.5 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Session Riding
CVE-2025-36019: IBM Concert, Z Hub Framework XSS (1.0.0-2.1.0)
CVE-2025-36019
6.1 - Medium
- February 17, 2026
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Concert HTTP Header Injection (HOST) 1.02.1
CVE-2024-51451
6.5 - Medium
- February 04, 2026
IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Improper Neutralization of HTTP Headers for Scripting Syntax
IBM Concert 1.0.0-2.1.0: Session Invalidation Missing After Logout
CVE-2024-43181
6.3 - Medium
- February 04, 2026
IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
Insufficient Session Expiration
IBM Concert 1.0-2.1 Sensitive Data Logged Locally
CVE-2025-33081
3.3 - Low
- February 03, 2026
IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user.
Cleartext Storage of Sensitive Information
IBM Concert 1.0.0-2.1.0 Weak Crypto Decryption Risk
CVE-2025-36253
5.9 - Medium
- February 02, 2026
IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a One-Way Hash without a Salt
IBM Concert 1.0.0-2.1.0: Malicious File Upload Vulnerability
CVE-2025-33015
8.8 - High
- January 20, 2026
IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.
Unrestricted File Upload
IBM Concert 1.0.0-2.1.0 Heap Memory Leak via Improper Clearing
CVE-2025-1722
5.9 - Medium
- January 20, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Heap Inspection
IBM Concert 1.0.0-2.1.0 Heap Info Leak via Improper Clearing
CVE-2025-1719
5.9 - Medium
- January 20, 2026
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Heap Inspection
IBM Concert 2.1.0 Local Priv Esc via Symlink Race
CVE-2025-64645
7.7 - High
- December 26, 2025
IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
TOCTTOU
IBM Concert 1.0.0-2.1.0 Stack-Based Buffer Overflow (buf overrun)
CVE-2025-12771
7.8 - High
- December 26, 2025
IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
Buffer Overflow
IBM Concert 1.0.0-2.1.0 Remote Heap Memory Disclosure via Improper Clearing
CVE-2025-1721
5.9 - Medium
- December 26, 2025
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
Heap Inspection
IBM Concert 1.0.0-2.1.0 cleartext creds in recursive docker builds - local user
CVE-2025-36154
6.2 - Medium
- December 24, 2025
IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.
Cleartext Storage in a File or on Disk
IBM Concert 1.0.0-2.0.0 Weak Crypto Enables Decryption Attack
CVE-2025-36150
5.9 - Medium
- November 24, 2025
IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Soft 1.0-2.0 Remote Click Hijacking Vulner
CVE-2025-36149
6.3 - Medium
- November 21, 2025
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
Clickjacking
IBM Concert XSS 1.0.0-2.0.0: JS code injection in Web UI
CVE-2025-36153
6.1 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Concert 1.0.0-2.0.0 Local User Sensitive File Leak via Recursive Copy
CVE-2025-36158
5.1 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
Stack Exhaustion
IBM Concert 1.0.0-2.0.0 Log Forgery via Improper Neutralization
CVE-2025-36159
6.2 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
Improper Output Neutralization for Logs
IBM Concert 1.0.0-2.0.0 Server Info Disclosure from HTTP Headers
CVE-2025-36160
5.3 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Concert HSTS Misconfiguration Allowing Remote Info Exposure 1.0.0-2.0.0
CVE-2025-36161
5.9 - Medium
- November 20, 2025
IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert 1.0.0-2.0.0 SSRF Allows Authenticated Remote Requests
CVE-2025-36085
5.4 - Medium
- October 28, 2025
IBM Concert 1.0.0 through 2.0.0 Software is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
SSRF
IBM Concert Software 1.0.0-2.0.0 Local User Heap Memory Clear Vulnerability
CVE-2025-36083
6.2 - Medium
- October 28, 2025
IBM Concert Software 1.0.0 through 2.0.0 could allow a local user to obtain sensitive information from buffers due to improper clearing of heap memory before release.
Heap Inspection
IBM Concert Software 1.0.0-2.0.0 Log Input Injection Allows Log Modification
CVE-2025-36081
5.3 - Medium
- October 28, 2025
IBM Concert Software 1.0.0 through 2.0.0 could allow a user to modify system logs due to improper neutralization of log input.
Improper Output Neutralization for Logs
Remote Directory Traversal in IBM Concert Software 1.0.0-1.0.5
CVE-2024-55913
5.3 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Directory traversal
Weak Crypto in IBM Concert Software 1.0.0-1.0.5 Enables Decryption of Sensitive Data
CVE-2024-55912
5.9 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Software 1.0.0-1.0.5 SSRF Vulnerability
CVE-2024-55910
6.5 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
SSRF
IBM Concert Software 1.0.0-1.0.5 Archive Expansion DoS
CVE-2024-55909
6.5 - Medium
- May 02, 2025
IBM Concert Software 1.0.0 through 1.0.5 could allow an authenticated user to cause a denial of service due to the expansion of archive files without controlling resource consumption.
Data Amplification
IBM Concert Software 1.0.0-1.0.1 Remote Info Leak via HSTS Misconfig
CVE-2024-41757
5.9 - Medium
- January 24, 2025
IBM Concert Software 1.0.0 and 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Cleartext Transmission of Sensitive Information
IBM Concert 1.0.0-1.0.2 Sensitive Info Disclosure via API
CVE-2024-49354
7.5 - High
- January 18, 2025
IBM Concert 1.0.0, 1.0.1, and 1.0.2 is vulnerable to sensitive information disclosure through specially crafted API Calls.
Exposure of Sensitive Information Due to Incompatible Policies
IBM Concert Software 1.0.0-1.0.3: Remote Info Disclosure via HSTS Misconfig
CVE-2024-52366
5.9 - Medium
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Software 1.0.x Info Disclosure via Unauthorized Actor
CVE-2024-52367
7.5 - High
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Concert Soft 1.0.01.0.3 Log Neutralization Bypass Auth Info Disclosure
CVE-2024-52891
5.4 - Medium
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization.
Improper Output Neutralization for Logs
IBM ConcertSoftware 1.0.x Info Leak via Detailed Error Message
CVE-2024-52893
5.3 - Medium
- January 07, 2025
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Concert Software: Improper Access Control Vulnerability
CVE-2024-52359
8.8 - High
- November 19, 2024
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to perform unauthorized actions that should be reserved to administrator used due to improper access controls.
Incorrect User Management
IBM Concert Software SQL Injection Vulnerability
CVE-2024-52360
9.8 - Critical
- November 19, 2024
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
SQL Injection
IBM Concert Software: Authenticated User Information Disclosure Vulnerability
CVE-2024-37070
6.5 - Medium
- November 19, 2024
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to obtain sensitive information that could aid in further attacks against the system.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
IBM Concert Software 1.0.0-1.0.1 HSTS Neg Remote Info Disclosure
CVE-2024-43189
5.9 - Medium
- November 15, 2024
IBM Concert Software 1.0.0 through 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Use of a Broken or Risky Cryptographic Algorithm
IBM Concert Software XSS via Web UI v1.0.0-1.0.1
CVE-2024-41785
6.1 - Medium
- November 15, 2024
IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
IBM Concert v1.0.0/1.0.1 CSRF: no SameSite cookie
CVE-2024-43177
9.8 - Critical
- October 22, 2024
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.
Improper Certificate Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Concert or by IBM? Click the Watch button to subscribe.
