These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9610 is a vulnerability in IBM Datacap and Datacap Navigator versions 9.1.7, 9.1.8, and 9.1.9. The vulnerability allows unauthorized access to resources or functionality that is not linked in the UI but can be accessed directly via URL requests, bypassing intended access controls. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 2.3, indicating a low severity. The CV [truncated]
CVE-2026-9320 is a denial of service vulnerability in IBM WebSphere Application Server. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. The vulnerability affects IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6. IBM has released a vendor advisory to address this issue. Users should rev [truncated]
CVE-2026-9072 is a high-severity vulnerability affecting IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The vulnerability occurs when using Intelligent Management with the WebSphere WebServer Plug-in component, allowing for remote code execution and denial of service attacks. An attacker can exploit this vulnerability by impersonating backend servers and sending crafted res [truncated]
CVE-2026-9071 is a denial of service vulnerability in IBM WebSphere Application Server 9.0, 8.5, and Liberty 17.0.0.3 through 26.0.0.6. A remote attacker could exploit this vulnerability by sending a specially-crafted request, causing the server to consume memory resources. This issue has a CVSS score of 7.5 and is considered HIGH severity. IBM has provided a vendor advisory for mitigation. The CVE was pu [truncated]
CVE-2026-9006 is a high-severity vulnerability in IBM WebSphere Application Server 9.0 and 8.5, allowing for server-side request forgery (SSRF) attacks when the Ajax Proxy is configured. This vulnerability may enable an attacker to send unauthorized requests from the system, potentially leading to security bypass or information disclosure. The CVSS score for this vulnerability is 7.4, indicating a high le [truncated]
CVE-2026-8646 is a high-severity vulnerability in IBM WebSphere Application Server. The vulnerability allows remote attackers to smuggle specially crafted requests, potentially bypassing security controls, spoofing identity, escalating privilege, and exposing sensitive information. This issue affects WebSphere Application Server 9.0, 8.5, and Liberty versions 17.0.0.3 through 26.0.0.6. IBM has provided a [truncated]
CVE-2026-7664 is a critical vulnerability in IBM Langflow OSS versions 1.0.0 through 1.8.4. The vulnerability allows unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint. The CVSS score for this vulnerability is 9.8, indicating a critical severity. IBM has provided a vendor advisory [truncated]
CVE-2026-12628 is a critical vulnerability in IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0. The vulnerability allows a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentic [truncated]
CVE-2026-10845 is a high-severity vulnerability in IBM WebSphere Application Server 8.5 and 9.0 that allows remote attackers to bypass authentication and gain unauthorized access to JAX-WS applications. The vulnerability has a CVSS score of 7.3 and is considered high severity. IBM has provided a vendor advisory for mitigation. Users should review their WebSphere Application Server versions 8.5.0.0 to 8.5. [truncated]
IBM Engineering Workflow Management is vulnerable to HTTP header injection due to improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking. The vulnerability affects multiple versions of Engineering Workflow Management, including 7.0.2 through 7.0.2 Interim [truncated]
CVE-2023-33854 is a medium-severity vulnerability affecting IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data. An authenticated user could bypass client-side validation and manipulate input data using man-in-the-middle techniques. The vulnerability has a CVSS score of 5.3. IBM has provided a reference for this issue. Users should review their inventory and apply patches as available. A [truncated]
CVE-2025-2669 is a medium-severity vulnerability affecting IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3. A privileged user could exploit improper token validation to perform unauthorized operations and access sensitive information. Defenders should assess exposure and prioritize patching due to potential insider threats.
CVE-2024-54178 is a medium-severity vulnerability affecting IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3. An authenticated user could exploit this vulnerability to cause a denial of service when creating new databases due to improper allocation of resources. Defenders should assess their exposure and prioritize patching, as the CVSS score is 6.5.
CVE-2026-4870 is a HIGH severity vulnerability in IBM Qiskit SDK versions 0.43.0 through 2.5.0. The vulnerability could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser. The CVSS score for this vulnerability is 7.5.
CVE-2026-7870 is a high-severity vulnerability in IBM i 7.6, 7.5, 7.4, and 7.3 that allows a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. The vulnerability has a CVSS score of 8.8 and is classified as HIGH.
CVE-2026-7787 is a HIGH-severity vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.1. An authenticated user could exploit this vulnerability to read or modify sensitive information by bypassing authentication using insecure direct object references. The vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-7787) and has a CVSS score of 7.5.
CVE-2026-4096 is a medium-severity vulnerability affecting IBM DevOps Plan versions 3.0.0 through 3.0.6. The vulnerability is caused by improper validation of input by the HOST headers, leading to HTTP header injection. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.
CVE-2026-3341 is a server-side request forgery (SSRF) vulnerability in IBM Langflow Desktop 1.0.0 through 1.9.2. An authenticated attacker could send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. The vulnerability has a CVSS score of 5.4 and a severity of MEDIUM.
CVE-2024-45636 is a vulnerability in IBM Security QRadar EDR 3.12 through 3.12.24. The vulnerability allows a local privileged user to read user credentials stored in plain text.
IBM Business Automation Workflow containers and traditional deployments may leak database structure information through error messages. This information disclosure vulnerability (CWE-209) has a CVSS 3.1 score of 4.3 (MEDIUM severity). The issue was published to the NVD on 2026-05-27 and remains in 'Awaiting Analysis' status. The vulnerability requires network access and low privileges to exploit, with no [truncated]
IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 contain an arbitrary file read vulnerability in the asperahttpd component. An authenticated attacker can exploit path traversal weaknesses (CWE-22) to access files outside intended directories on the server's local storage. The vulnerability requires network access and valid credentials, with no user interaction nee [truncated]
IBM Guardium Data Protection versions 12.2.1 and 12.2.2 contain an information disclosure vulnerability in the Long Term Retention (LTR) add-on feature. When debug mode is enabled, sensitive credentials may be exposed. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS 3.1 score of 6.5 (MEDIUM severity). The attack vector is network-b [truncated]
IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 contain a denial-of-service vulnerability in the asperahttpd component. An unauthenticated remote attacker can trigger a crash of the asperahttpd service. The vulnerability is classified as CWE-476 (NULL Pointer Dereference) and carries a CVSS 3.1 score of 7.5 (HIGH severity) with network attack vector, low attack c [truncated]
A buffer overflow vulnerability in IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 allows authenticated remote attackers to execute arbitrary code on affected systems. The vulnerability resides in the asperahttpd component. The CVSS 3.1 score of 8.8 (High) reflects network attack vector, low attack complexity, low privileges required, and high impact to confident [truncated]
A critical buffer overflow vulnerability in IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 affects the asperahttpd component. The vulnerability, classified as CWE-122 (Heap-based Buffer Overflow), carries a CVSS 3.1 score of 9.8 (Critical) due to network attack vector with low complexity, no privileges required, and no user interaction needed. Successful exploit [truncated]
IBM Aspera HSTS for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19 contains an improper authentication vulnerability (CWE-287). The vulnerability was published by IBM PSIRT and indexed by NVD on 2026-05-27. No CVSS score or severity rating has been assigned as of the CVE modification time (2026-05-27T14:53:51.833Z); NVD status remains 'Awaiting Analysis'. The affected product is IBM Aspera [truncated]
IBM Langflow OSS versions 1.0.0 through 1.9.0 contain a denial-of-service vulnerability stemming from uncontrolled resource consumption. The issue was published to the CVE Program on 2026-05-27 and carries a CVSS 3.1 score of 7.1 (HIGH). The attack vector is network-based with low attack complexity, requiring low privileges but no user interaction. The confidentiality impact is low, integrity impact is no [truncated]
A critical vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.1 allows remote code execution through improper validation of symbolic links during archive extraction. The vulnerability, published on 2026-05-27, stems from a path traversal weakness (CWE-22) where symbolic links in archives are not properly validated, potentially allowing attackers to write files to arbitrary locations on the files [truncated]
IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis ship with default passwords from the manufacturing process intended for use during installation. These credentials are not changed post-installation, allowing an unauthenticated attacker with local access to bypass authentication and gain full control (confidentiality, integrity, and availability impact). The vulnerability [truncated]
IBM OpenBMC firmware versions FW1110.00 through FW1110.11 are vulnerable to denial of service attacks that can be launched by unauthenticated network users. The vulnerability has a CVSS 3.1 score of 5.3 (Medium severity) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network-based attack with low complexity, no privileges required, and low availability impact. The weakness is ca [truncated]
IBM Db2 12.1.0 through 12.1.4 contains an authorization bypass vulnerability affecting remote object storage uploads. An authenticated attacker with low privileges can exploit improper authorization checks (CWE-285) via a specially crafted query parameter to bypass intended access controls when uploading to remote object storage paths. The vulnerability has network attack vector, low attack complexity, an [truncated]
IBM i versions 7.3 through 7.6 contain a denial-of-service vulnerability in the Integrated Language Environment (ILE) compiler. The flaw stems from uncontrolled recursion (CWE-674) when processing specially crafted source code containing a specific combination of statements. An authenticated attacker with compilation privileges can trigger this condition, causing the compiler to exhaust system resources a [truncated]
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 contain a denial-of-service vulnerability triggered when a specially crafted query is executed against range-partitioned tables. The vulnerability, published 2026-05-27, carries a CVSS 3.1 score of 5.5 (MEDIUM) with an attack vector requiring local access and low privileges. The underlying weakness is categorized as CWE-770 (Allocation of Re [truncated]
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to memory exhaustion when executing specific queries against Multi-Dimensional Clustering (MDC) tables. The vulnerability, classified as CWE-400 (Uncontrolled Resource Consumption), allows an authenticated attacker with low privileges to cause a denial of service condition by triggering memory depletion through network-accessi [truncated]
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 contain a denial-of-service vulnerability. An authenticated local attacker can trigger the condition by executing a specially crafted query when the database instance is configured with a small statement heap. The flaw stems from improper resource management (CWE-400), leading to uncontrolled resource consumption that crashes the database se [truncated]
IBM WebSphere Application Server Liberty 22.0.0.11 through 26.0.0.5 contains a medium-severity timing window vulnerability that could allow remote attackers to bypass security controls under limited conditions. The vulnerability requires high attack complexity and high privileges to exploit, with network access but no user interaction needed. Successful exploitation results in high confidentiality impact [truncated]
IBM App Connect Enterprise versions 13.0.1.0 through 13.0.7.0 stores potentially sensitive information in log files that could be read by a local user. This vulnerability represents an information disclosure risk where authenticated local users with appropriate file system permissions could access sensitive data written to application logs. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicat [truncated]
IBM Controller versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contain hard-coded credentials used for inbound authentication, outbound communication, or internal data encryption. The vulnerability was published on 2026-05-27 and carries a CVSS 3.1 score of 8.8 (HIGH). The weakness is categorized as CWE-798 (Use of Hard-coded Credentials). IBM has published a security bulletin with remediation guidance.
IBM WebSphere Application Server Liberty versions 19.0.0.7 through 26.0.0.5, along with WebSphere Application Server 9.0 and 8.5, contain a denial-of-service vulnerability. A remote attacker can exploit this flaw by sending a specially crafted request, causing the server to consume excessive memory resources. The CVSS 3.1 vector (AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates this requires adjacent networ [truncated]
IBM Cloud APM 8.1.4 (Base Private and Advanced Private editions) contains a denial-of-service vulnerability in its Db2 Fenced environment query logic. An authenticated attacker can exploit improper neutralization of special elements (CWE-1284) to cause service disruption. The vulnerability is network-accessible with low attack complexity, requiring only low-privileged authentication. No confidentiality or [truncated]
IBM Netezza Performance Server Replication Services versions 3.0.2.0 through 3.0.5.0 contain a local privilege escalation vulnerability. An attacker with low-privileged access can escalate to root, enabling execution of root-level commands, acquisition of a root shell, and modification of the root password. Successful exploitation permits modification or removal of system-wide files and installation of pe [truncated]
IBM InfoSphere Optim Test Data Fabrication versions 1.0.0 through 1.0.2.7 contain a path traversal vulnerability (CWE-22) that could allow remote attackers to view arbitrary files on the system. The vulnerability stems from insufficient input validation on URL requests containing directory traversal sequences (/../). With a CVSS 3.1 score of 7.5 (HIGH severity), this vulnerability is network-exploitable w [truncated]
IBM MQ Operator and IBM-supplied MQ Advanced container images store potentially sensitive information in log files that could be read by a local user. The vulnerability affects multiple release streams: SC2 (v3.2.0 through 3.2.23, and container images 9.4.0.6 through 9.4.0.20-r1), CD (v3.3.0 through v3.9.1, and container images 9.4.1.0-r1 through 9.4.5.0-r2), and LTS (v2.0.0 through 2.0.29, and container [truncated]
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 contain a denial-of-service vulnerability triggered by specially crafted queries when autonomous transactions are enabled. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact with limited confidentiality im [truncated]
IBM Cognos Analytics and IBM Cognos Transformer contain a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting versions 11.2.0, 11.2.4, 12.0, and 12.1.0 (Analytics) and 11.2.4, 12.0, and 12.1.0 (Transformer). The vulnerability allows a remote attacker with low privileges to inject arbitrary JavaScript into the web UI, potentially altering functionality and disclosing credentials within a tru [truncated]
CVE-2024-56462 is a high-severity vulnerability affecting IBM QRadar versions 7.5.0 through 7.5.0 UP15 Interim Fix 002. The flaw allows a privileged user to upload a malicious backup archive that, when restored, can be leveraged to gain access to the underlying operating system. This represents a path traversal or arbitrary file write scenario within the backup restoration process, where insufficient vali [truncated]
IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis do not enforce strong password requirements by default, allowing attackers to more easily compromise user accounts through weak or guessable credentials. The vulnerability affects versions 1.3.5.0 through 1.3.8.4. IBM has published a security bulletin with remediation guidance.
IBM Security Directory Integrator (SDI) versions 7.2.0.0 through 7.2.0.14 and 10.0.0.0 through 10.0.0.2 return overly verbose technical error messages to browser clients. These messages may expose internal system details—such as stack traces, file paths, or configuration parameters—that an unauthenticated remote attacker could harvest to refine subsequent targeting. The vulnerability is classified as CWE- [truncated]
IBM Engineering Lifecycle Management (ELM) versions 7.0.3, 7.1.0, and 7.2.0 contain an exposed method that is not properly restricted, allowing an attacker with administrative privileges to execute remote code. The vulnerability stems from improper access control (CWE-749) on an administrative interface method. The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges req [truncated]
IBM Engineering Lifecycle Management (ELM) versions 7.0.3, 7.1.0, and 7.2.0 contain a critical authentication bypass vulnerability. An unauthenticated remote attacker can modify server property files to gain unauthorized administrative access to the application. The vulnerability is rated CVSS 3.1 9.8 (Critical) with network attack vector, low attack complexity, and no privileges or user interaction requi [truncated]