CVE Catalog

CVE-2026-11906

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX, and Windows (including Db2 Connect Server) contain a denial-of-service vulnerability. An authenticated user can exploit improper neutralization of special elements in the data query logic for XMLTable-derived columns, causing a denial of service.

Risk Assessment

The risk is that an authenticated user can disrupt database operations, potentially leading to unavailability of critical business applications relying on IBM Db2.

Recommendation

Immediately upgrade IBM Db2 to version 11.5.10 or later (for the 11.5 series) and 12.1.5 or later (for the 12.1 series). If an upgrade is not possible, restrict user permissions for executing XMLTable queries.

Original NVD description (English source)

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS