Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,632
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 3,441 - 3,460 of 40,623 CVEs
CVE-2025-36321 MEDIUM - 5.7

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD
CVE-2025-36320 MEDIUM - 6.4

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trus...

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD
CVE-2025-36319 MEDIUM - 4.3

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to cause a temporary denial using a specially crafted HTTP request due to improper allocation of resource throttling.

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD
CVE-2025-12530 MEDIUM - 5.9

IBM watsonx.data intelligence 5.2.2, 5.3.0, 5.3.1, 5.3.1 through patch-1 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD
CVE-2026-9836 LOW - 3.5

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.

Vendor: ibm
Product: infosphere_information_server
Published: Jun 30, 2026
Source: NVD
CVE-2026-9002 MEDIUM - 6.5

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checkin...

Vendor: ibm
Product: websphere_extreme_scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-7874 CRITICAL - 9.1

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-7873 CRITICAL - 9.9

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-7871 CRITICAL - 9.8

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-7803 CRITICAL - 9.8

IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-7663 CRITICAL - 9.1

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-3602 MEDIUM - 4.7

IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.

Vendor: ibm
Product: app_connect_enterprise
Published: Jun 30, 2026
Source: NVD
CVE-2026-13773 MEDIUM - 6.0

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into out...

Vendor: IBM
Product: WebSphere Extreme Scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-13772 HIGH - 7.5

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticate...

Vendor: IBM
Product: WebSphere Extreme Scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-13759 HIGH - 7.5

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteCon...

Vendor: IBM
Product: WebSphere Extreme Scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-13449 HIGH - 7.6

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Vendor: IBM
Product: Business Automation Manager Open Editions
Published: Jun 30, 2026
Source: NVD
CVE-2026-12086 MEDIUM - 6.2

IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user.

Vendor: IBM
Product: UCD - IBM UrbanCode Deploy, UCD - IBM DevOps Deploy
Published: Jun 30, 2026
Source: NVD
CVE-2026-12085 MEDIUM - 6.5

IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks a...

Vendor: IBM
Product: UCD - IBM UrbanCode Deploy, UCD - IBM DevOps Deploy
Published: Jun 30, 2026
Source: NVD
CVE-2026-12084 MEDIUM - 5.4

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

Vendor: IBM
Product: UCD - IBM DevOps Deploy
Published: Jun 30, 2026
Source: NVD
CVE-2026-11906 MEDIUM - 6.5

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.

Vendor: IBM
Product: Db2
Published: Jun 30, 2026
Source: NVD