Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

IBM Corporation

BOS ID

-
BOSS-VENDOR-19419

Tags

-
N/A

Related Bos

-
HashiCorp, Inc.

Note

-

https://www.ibm.com/in-en https://www.ibm.com/legal

Mapped CVEsMapped VendorsRelated AssignersReports
8356Vulnerabilities found

CVE-2026-9103
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:49
Updated-17 Jul, 2026 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Superuser Token Issuance via Auto-Login Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-9135
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:48
Updated-17 Jul, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9171
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:26
Updated-17 Jul, 2026 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities in IBM WebSphere Application affects IBM PowerVM Novalink.

IBM PowerVM Novalink are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.

Action-Not Available
Vendor-IBM Corporation
Product-PowerVM Novalink
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-9198
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-Not Assigned
Published-17 Jul, 2026 | 17:36
Updated-17 Jul, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9202
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-Not Assigned
Published-17 Jul, 2026 | 17:33
Updated-17 Jul, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated User Registration Could Lead to Remote Code Execution

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-9762
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.8||HIGH
EPSS-Not Assigned
Published-17 Jul, 2026 | 17:25
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc url is under user control

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control.

Action-Not Available
Vendor-IBM Corporation
Product-Db2
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9074
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.51% / 39.89%
||
7 Day CHG+0.07%
Published-08 Jul, 2026 | 15:24
Updated-10 Jul, 2026 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM API Connect SQL Injection

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-3144
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-0.41% / 33.39%
||
7 Day CHG+0.04%
Published-08 Jul, 2026 | 15:22
Updated-10 Jul, 2026 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM API Connect Default Credentials

IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unauthorized access to the application before the system enforces a credential update.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-1392
Use of Default Credentials
CVE-2026-11541
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.4||HIGH
EPSS-0.42% / 33.86%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:56
Updated-02 Jul, 2026 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by HTTP request smuggling

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server - LibertyWebSphere Application Server
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-11594
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.5||HIGH
EPSS-0.34% / 25.89%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:50
Updated-02 Jul, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server is affected by multiple cross-site scripting vulnerabilities

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12530
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.20% / 10.39%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:34
Updated-06 Jul, 2026 | 13:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.2, 5.3.0, 5.3.1, 5.3.1 through patch-1 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2025-36319
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 34.95%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:23
Updated-06 Jul, 2026 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to cause a temporary denial using a specially crafted HTTP request due to improper allocation of resource throttling.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-36320
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 17.08%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:22
Updated-06 Jul, 2026 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36321
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.7||MEDIUM
EPSS-0.41% / 32.96%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:19
Updated-06 Jul, 2026 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-36323
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 13.90%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:19
Updated-06 Jul, 2026 | 13:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36324
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 18.80%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:18
Updated-06 Jul, 2026 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 s vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-36327
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 28.18%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:17
Updated-06 Jul, 2026 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of sever-side security.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CVE-2025-36328
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 28.92%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:16
Updated-06 Jul, 2026 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Error Message Containing Sensitive Information found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.  This information could be used in further attacks against the system.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2025-36333
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 20.30%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:15
Updated-06 Jul, 2026 | 13:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-841
Improper Enforcement of Behavioral Workflow
CVE-2025-36336
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.20% / 10.39%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:12
Updated-06 Jul, 2026 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Transmission of Sensitive Information found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.data_intelligencesoftware_hubwatsonx.data intelligence
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2025-36359
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.1||HIGH
EPSS-0.19% / 8.64%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:11
Updated-06 Jul, 2026 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.

Action-Not Available
Vendor-IBM Corporation
Product-devops_automationdevops_loopDevOps LoopDevOps Automation
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2025-36372
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.30% / 22.21%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:03
Updated-02 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM® Db2® could disclose sensitive information to an authenticated user from the monitoring and event tables

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables.

Action-Not Available
Vendor-opengroupIBM CorporationMicrosoft CorporationLinux Kernel Organization, Inc
Product-linux_kernelwindowsdb2unixDb2
CWE ID-CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory
CVE-2026-10109
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 54.39%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 20:02
Updated-02 Jul, 2026 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.

Action-Not Available
Vendor-IBM Corporation
Product-db2Db2
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-10129
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.5||HIGH
EPSS-0.18% / 8.30%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:59
Updated-02 Jul, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF via HTTP Redirect Following in Langflow API Request Component

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying a public URL that redirects to internal/localhost addresses. The vulnerability exists because the application validates only the initial URL but does not re-validate redirect destinations. This allows attackers to access internal HTTP services, localhost endpoints, cloud metadata services, and private network resources that should be unreachable when SSRF protection is enabled. Successful exploitation can lead to disclosure of sensitive information including credentials, tokens, internal API responses, and administrative panel data.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10134
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-10||CRITICAL
EPSS-0.31% / 23.39%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:56
Updated-02 Jul, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-10140
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.20% / 10.07%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:55
Updated-02 Jul, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-10546
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.15% / 4.33%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:54
Updated-02 Jul, 2026 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DNS Rebinding TOCTOU Bypass of SSRF Protection in Langflow OSS URL Component

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10560
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.2||HIGH
EPSS-0.27% / 19.15%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:53
Updated-02 Jul, 2026 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Access to Private Flow Build Events and Cancellation in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-287
Improper Authentication
CVE-2026-10564
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.2||HIGH
EPSS-0.20% / 9.89%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:51
Updated-02 Jul, 2026 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF Vulnerability in Langflow OSS Legacy Components Bypasses Protection

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker can exploit this to access internal resources including cloud metadata services (AWS/Azure/GCP IMDS), potentially exfiltrating IAM credentials and enumerating internal networks. The vulnerability can also be triggered through prompt injection in agentic workflows due to tool_mode=True exposure.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-11546
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.22% / 12.77%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:51
Updated-02 Jul, 2026 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server Liberty is affected by a server-side request forgery vulnerability

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server - Liberty
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-11595
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 37.89%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:50
Updated-02 Jul, 2026 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server is affected by a Path Traversal vulnerability

IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-11708
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.3||CRITICAL
EPSS-0.22% / 12.10%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:47
Updated-02 Jul, 2026 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server is affected by a cross-site scripting vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-11712
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.3||CRITICAL
EPSS-0.22% / 12.10%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:45
Updated-02 Jul, 2026 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server is affected by a cross-site scripting vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-11714
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.5||HIGH
EPSS-0.20% / 10.35%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:44
Updated-02 Jul, 2026 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server - Liberty
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-11806
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.2||HIGH
EPSS-0.47% / 37.78%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:43
Updated-02 Jul, 2026 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server Liberty is affected by a an arbitrary file read vulnerability

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server - Liberty
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-11906
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 34.08%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:42
Updated-02 Jul, 2026 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM® Db2® federated server is vulnerable to a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns by autheticated user

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.

Action-Not Available
Vendor-opengroupIBM CorporationMicrosoft CorporationLinux Kernel Organization, Inc
Product-linux_kernelwindowsdb2unixDb2
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2026-12084
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 5.79%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:39
Updated-02 Jul, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

Action-Not Available
Vendor-IBM Corporation
Product-devops_deployUCD - IBM DevOps Deploy
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2026-12085
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 14.21%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:38
Updated-02 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability

IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.

Action-Not Available
Vendor-IBM Corporation
Product-urbancode_deploydevops_deployUCD - IBM DevOps DeployUCD - IBM UrbanCode Deploy
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-12086
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.10% / 1.11%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:36
Updated-02 Jul, 2026 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Insertion of Sensitive Information into Log File Vulnerability

IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user.

Action-Not Available
Vendor-IBM Corporation
Product-urbancode_deploydevops_deployUCD - IBM DevOps DeployUCD - IBM UrbanCode Deploy
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-13449
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.6||HIGH
EPSS-0.41% / 32.86%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:32
Updated-02 Jul, 2026 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XXE attack in IBM Business Automation Manager Open Editions

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Action-Not Available
Vendor-IBM Corporation
Product-business_automation_managerBusiness Automation Manager Open Editions
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-13759
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.30% / 22.31%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:24
Updated-03 Jul, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere eXtreme Scale is affected by Insecure Deserilization

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

Action-Not Available
Vendor-IBM Corporation
Product-websphere_extreme_scaleWebSphere Extreme Scale
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-13772
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.28% / 20.31%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:21
Updated-03 Jul, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere eXtreme Scale's OQL is affected by remote code execution

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

Action-Not Available
Vendor-IBM Corporation
Product-websphere_extreme_scaleWebSphere Extreme Scale
CWE ID-CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CVE-2026-13773
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6||MEDIUM
EPSS-3.42% / 87.55%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:20
Updated-02 Jul, 2026 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_extreme_scaleWebSphere Extreme Scale
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-3602
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.18% / 8.06%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:19
Updated-02 Jul, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection

IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.

Action-Not Available
Vendor-IBM Corporation
Product-app_connect_enterprisez\/osintegration_busApp Connect EnterpriseIntegration Bus for z/OS
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7663
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.26% / 17.32%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:16
Updated-02 Jul, 2026 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-7803
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 27.99%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:15
Updated-02 Jul, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flow Validation Bypass via Empty Component Type Field

IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-20
Improper Input Validation
CVE-2026-7871
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.87%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:14
Updated-02 Jul, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Deserialization in Redis Cache Backend

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-7873
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.29% / 21.37%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:13
Updated-02 Jul, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection Vulnerability in Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7874
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.16% / 6.00%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:11
Updated-02 Jul, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Cryptographic Key Derivation Exposed All Stored Credentials

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2026-9002
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 18.67%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:08
Updated-02 Jul, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_extreme_scaleWebSphere Extreme Scale
CWE ID-CWE-400
Uncontrolled Resource Consumption
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 167
  • 168
  • Next