Ibm CVEs & Vulnerabilities

202 CVEs affecting Ibm products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

aix 34websphere application server 26i 24app connect enterprise certified containers operands 23db2 17infosphere information server 17z\/os 16operations analytics log analysis 16
CVE-2025-14031HIGH

IBM Sterling B2B Integrator and and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could allow an unauthenticated attacker to send a specially crafted request that causes the application to crash.

18 Mar 2026
7.5
CVSS
CVE-2026-1376HIGH

IBM i 7.6 could allow a remote attacker to cause a denial of service using failed authentication connections due to improper allocation of resources.

18 Mar 2026
7.5
CVSS
CVE-2026-1267MEDIUM

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls.

18 Mar 2026
6.5
CVSS
CVE-2025-14806MEDIUM

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources.

18 Mar 2026
5.7
CVSS
CVE-2025-13460MEDIUM

IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.

16 Mar 2026
5.3
CVSS
CVE-2025-13459MEDIUM

IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.

16 Mar 2026
4.9
CVSS
CVE-2025-13212MEDIUM

IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.

16 Mar 2026
4.3
CVSS
CVE-2025-36368HIGH

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, and 6.2.1.0 through 6.2.1.1_1 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.

13 Mar 2026
7.2
CVSS
CVE-2025-13726HIGH

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.

13 Mar 2026
7.5
CVSS
CVE-2025-13723HIGH

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token

13 Mar 2026
7.5
CVSS
CVE-2025-13718HIGH

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.

13 Mar 2026
7.5
CVSS
CVE-2025-13702MEDIUM

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

13 Mar 2026
5.4
CVSS
CVE-2023-40693MEDIUM

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, and 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

13 Mar 2026
5.4
CVSS
CVE-2025-13213MEDIUM

IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking

11 Mar 2026
5.4
CVSS
CVE-2025-36227MEDIUM

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

10 Mar 2026
5.4
CVSS
CVE-2025-36226MEDIUM

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

10 Mar 2026
5.4
CVSS
CVE-2025-13219HIGH

IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.

10 Mar 2026
7.5
CVSS
CVE-2026-1713MEDIUM

IBM MQ 9.1.0.0 through 9.1.0.33 LTS, 9.2.0.0 through 9.2.0.40 LTS, 9.3.0.0 through 9.3.0.36 LTS, 9.30.0 through 9.3.5.1 CD, 9.4.0.0 through 9.4.0.17 LTS, and 9.4.0.0 through 9.4.4.1 CD

4 Mar 2026
5.0
CVSS
CVE-2026-1567HIGH

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server.

4 Mar 2026
7.5
CVSS
CVE-2025-14480HIGH

IBM Aspera faspio Gateway 1.3.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

4 Mar 2026
7.5
CVSS
CVE-2025-14456MEDIUM

IBM MQ Appliance 9.4 CD through 9.4.4.0 to 9.4.4.1

4 Mar 2026
5.9
CVSS
CVE-2025-13688HIGH

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component.

4 Mar 2026
8.8
CVSS
CVE-2025-13687HIGH

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function component.

4 Mar 2026
8.8
CVSS
CVE-2025-13686HIGH

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the job subroutine component.

4 Mar 2026
8.8
CVSS
CVE-2026-2606MEDIUM

IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.

3 Mar 2026
6.5
CVSS
CVE-2026-1265MEDIUM

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to writing of sensitive Information in a log file.

3 Mar 2026
5.3
CVSS
CVE-2025-36364LOW

IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.

3 Mar 2026
3.3
CVSS
CVE-2025-36363HIGH

IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

3 Mar 2026
7.5
CVSS
CVE-2025-14923CRITICAL

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings.

3 Mar 2026
9.8
CVSS
CVE-2025-14604HIGH

IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to be executed by unintended actors.

3 Mar 2026
7.8
CVSS
CVE-2025-13734MEDIUM

IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions.

3 Mar 2026
5.4
CVSS
CVE-2025-13616HIGH

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system.

3 Mar 2026
7.5
CVSS
CVE-2025-13490MEDIUM

IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive information through man‑in‑the‑middle techniques.

3 Mar 2026
5.9
CVSS
CVE-2025-13689HIGH

IBM DataStage on Cloud Pak for Data could allow an authenticated user to execute arbitrary commands and gain access to sensitive information due to unrestricted file uploads.

18 Feb 2026
8.8
CVSS
CVE-2025-13333MEDIUM

IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings.

18 Feb 2026
4.4
CVSS
CVE-2025-36348MEDIUM

IBM Sterling B2B Integrator versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 through 6.2.1.1, and IBM Sterling File Gateway versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 through 6.2.1.1 may expose sensitive information to a remote privileged attacker due to the application returning detailed technical error messages in the browser.

18 Feb 2026
4.9
CVSS
CVE-2025-36183LOW

IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data.

18 Feb 2026
3.8
CVSS
CVE-2025-33088HIGH

IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file permissions for critical resources.

18 Feb 2026
7.4
CVSS
CVE-2023-38005MEDIUM

IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls.

18 Feb 2026
4.3
CVSS
CVE-2025-36379MEDIUM

IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

18 Feb 2026
5.9
CVSS
CVE-2025-36377MEDIUM

IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.

18 Feb 2026
6.3
CVSS
CVE-2025-36376MEDIUM

IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.

18 Feb 2026
6.3
CVSS
CVE-2025-14289MEDIUM

IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

18 Feb 2026
5.4
CVSS
CVE-2025-13691HIGH

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system.

18 Feb 2026
8.1
CVSS
CVE-2025-36243MEDIUM

IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

17 Feb 2026
5.4
CVSS
CVE-2025-33130MEDIUM

IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack.

17 Feb 2026
6.5
CVSS
CVE-2025-33124MEDIUM

IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to the incorrect calculation of a buffer size.

17 Feb 2026
6.5
CVSS
CVE-2025-33101MEDIUM

IBM Concert 1.0.0 through 2.1.0 could allow an attacker to obtain sensitive information using man in the middle techniques due to improper clearing of heap memory.

17 Feb 2026
5.9
CVSS