IBM Controller
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Controller.
By the Year
In 2026 there have been 0 vulnerabilities in IBM Controller. Last year, in 2025 Controller had 20 security vulnerabilities published. Right now, Controller is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 20 | 6.00 |
It may take a day or so for new Controller vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Controller Security Vulnerabilities
IBM Controller 11.1.x & Cognos Controller 11.0.x FP6 Unencrypted Env Var Leak
CVE-2025-36017
6.5 - Medium
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.
Exposure of Sensitive Information Through Environmental Variables
IBM Cognos Controller <11.1.2> Validation Bypass via ClientSide Enforce
CVE-2025-36102
2.7 - Low
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security.
Client-Side Enforcement of Server-Side Security
IBM Controller/Cognos Controller v11.* Temp File Creation Race
CVE-2025-33111
4.3 - Medium
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.
Creation of Temporary File in Directory with Insecure Permissions
IBM Controller 11.1.0-11.1.1 Authenticated DoS via Quantity Size Validation
CVE-2025-36015
6.5 - Medium
- December 08, 2025
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.
Improper Validation of Specified Quantity in Input
IBM Cognos Controller 11.0.0-11.1.1 Hardcoded Key Session Cookie Leak
CVE-2025-36326
3.7 - Low
- September 26, 2025
IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.
Use of Hard-coded Cryptographic Key
IBM Controller 11.x Authenticated Credentials Exposure via Source Code
CVE-2025-33079
6.5 - Medium
- May 27, 2025
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.
Insufficiently Protected Credentials
IBM Cognos Controller 11.x XSS via Client-Side Desync (CSD)
CVE-2022-39163
4.7 - Medium
- March 26, 2025
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.
HTTP Request Smuggling
IBM Controller 11.* weak default password policy
CVE-2024-41778
6.5 - Medium
- March 01, 2025
IBM Controller 11.0.0 through 11.0.1 and 11.1.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
Weak Password Requirements
IBM Cognos Controller <=11.0.1 FP3, 11.1.0: XXE XML External Entity Injection
CVE-2023-47160
8.2 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
XXE
Formula Injection in IBM Cognos Controller 11.0.011.1.0
CVE-2024-45084
8 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
CSV Injection
Auth Flaw in IBM Cognos Controller 11.0.0-11.1.0: modify restricted content
CVE-2024-45081
6.5 - Medium
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated user to modify restricted content due to incorrect authorization checks.
AuthZ
IBM Cognos Ctrl 11.0.0-11.1.0 Weak Crypto Exposes Sensitive Data
CVE-2024-28780
5.9 - Medium
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 Rich Client uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Use of a Broken or Risky Cryptographic Algorithm
IBM Cognos Controller 11.0.0-11.1.0 Unrestricted Deserialization
CVE-2024-28777
8.8 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.
Marshaling, Unmarshaling
IBM Cognos Controller 11.x XSS in Web UI before 11.1.0 FP3
CVE-2024-28776
5.4 - Medium
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
XSS
Hardcoded DB passwords in IBM Cognos Controller 11.x unauthorized access
CVE-2024-52902
8.8 - High
- February 19, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.
Use of Hard-coded Credentials
IBM Cognos Controller 11.0.011.0.1 Remote Info Disclosure via Error Message
CVE-2021-20455
3.7 - Low
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cognos Controller 11.* RCE: Info Leak via Error Msg
CVE-2022-22363
4.3 - Medium
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cognos Controller 11.011.1 Stack Trace Info Disclosure
CVE-2024-25037
4.3 - Medium
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.
Generation of Error Message Containing Sensitive Information
IBM Cognos Controller 11.0-11.1.0 Exposes Artifactory API Keys
CVE-2024-28778
6.5 - Medium
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization.
Use of Hard-coded Credentials
IBM Cognos Controller 11.0.x Improper Cert Validation Enables Token Theft
CVE-2024-40702
8.2 - High
- January 07, 2025
IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.
Improper Certificate Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Controller or by IBM? Click the Watch button to subscribe.
