CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.16)
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 contains a vulnerability in the Object Query Language engine that resolves attacker-supplied class names via Class.forName() and invokes their constructors without an allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators). An authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values triggers the same gadget post-deserialization in a manner that bypasses JEP-290 serialization filters across grid node boundaries.
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs.
IBM Business Automation Manager Open Editions versions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
IBM UrbanCode Deploy and IBM DevOps Deploy store potentially sensitive information in log files that could be read by a local user. The vulnerability affects versions 7.2 through 7.2.3.23, 7.3 through 7.3.2.18, and 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0.
IBM UrbanCode Deploy and IBM DevOps Deploy in vulnerable versions may disclose sensitive configurations and secrets to authenticated users in API responses, which could be used in further attacks against the system.
IBM DevOps Deploy (UCD) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 improperly configure CORS, allowing an attacker to perform privileged actions and retrieve sensitive information because the domain is not restricted to trusted domains.
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX, and Windows (including Db2 Connect Server) contain a denial-of-service vulnerability. An authenticated user can exploit improper neutralization of special elements in the data query logic for XMLTable-derived columns, causing a denial of service.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.6 are affected by an arbitrary file read vulnerability when the restConnector-2.0 feature is enabled.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.7 are affected by a server-side request forgery (SSRF) vulnerability when the apiDiscovery-1.0 feature is enabled. An attacker can exploit this flaw to send unauthorized requests from the server to internal network resources.
IBM WebSphere Application Server 9.0 and 8.5 are affected by a cross-site scripting (XSS) vulnerability in the administrative console help system. This allows an attacker to inject malicious scripts into the help page.
IBM WebSphere Application Server 9.0 and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system. This allows an attacker to inject malicious script into the help page.
IBM WebSphere Application Server 9.0 and 8.5 contain a vulnerability that could allow a remote attacker to obtain sensitive information from the integrated help system of the administrative console.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.7 with the adminCenter-1.0 feature enabled are affected by a server-side request forgery (SSRF) vulnerability.
IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a Server-Side Request Forgery (SSRF) vulnerability. The RSSReaderComponent and SearXNG components make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3.
IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints, allowing an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.
IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the URL component due to a TOCTOU race condition exploitable via DNS rebinding.
IBM Langflow OSS versions 1.0.0 through 1.10.0 in voice mode have improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a critical vulnerability allowing an attacker to read all secrets available to the Langflow process, read and modify all flows, conversations, messages, file uploads, and saved components in the Langflow database. The attacker can also connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and establish persistence by modifying the public flow's `tool_code` so that normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying a public URL that redirects to internal/localhost addresses. The vulnerability exists because the application validates only the initial URL but does not re-validate redirect destinations.
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to remote code execution due to improper handling of DRDA handshake before authentication.

