Vulnerability-Lookup

WID-SEC-W-2026-0845

Vulnerability from csaf_certbund - Published: 2026-03-24 23:00 - Updated: 2026-05-14 22:00

Summary

IBM WebSphere Application Server Liberty: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: IBM WebSphere Application Server ist ein J2EE-Applikationsserver.

Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in IBM WebSphere Application Server Liberty ausnutzen, um seine Privilegien zu erhöhen, Sicherheitsmaßnahmen zu umgehen und Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - MacOS X - Sonstiges - UNIX - Windows

CVE-2025-14915

Affected products

Known affected 15 products

Product	Identifier	Version
IBM DataPower Gateway 10.6.0.0-10.6.0.8 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.0.0_-_10.6.0.8`	10.6.0.0-10.6.0.8
IBM TXSeries for multiplatforms IBM / TXSeries	`cpe:/a:ibm:txseries:for_multiplatforms`	for multiplatforms
IBM DataPower Gateway 10.6.1.0-10.6.6.0 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.1.0_-_10.6.6.0`	10.6.1.0-10.6.6.0
IBM Operational Decision Manager 8.11.1.0 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.1.0`	8.11.1.0
IBM i 7.4 IBM / i	`cpe:/o:ibm:i:7.4`	7.4
IBM Operational Decision Manager 9.0.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.0.0.1`	9.0.0.1
IBM i 7.6 IBM / i	`cpe:/o:ibm:i:7.6`	7.6
IBM WebSphere Application Server Liberty <26.0.0.4 IBM / WebSphere Application Server		Liberty <26.0.0.4
IBM i 7.3 IBM / i	`cpe:/o:ibm:i:7.3`	7.3
IBM Operational Decision Manager 9.5.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.5.0.1`	9.5.0.1
IBM i 7.5 IBM / i	`cpe:/o:ibm:i:7.5`	7.5
IBM i 7.2 IBM / i	`cpe:/o:ibm:i:7.2`	7.2
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
IBM Operational Decision Manager 8.11.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.0.1`	8.11.0.1
IBM Operational Decision Manager 8.12.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.12.0.1`	8.12.0.1

CVE-2025-14917

Affected products

Known affected 15 products

Product	Identifier	Version
IBM DataPower Gateway 10.6.0.0-10.6.0.8 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.0.0_-_10.6.0.8`	10.6.0.0-10.6.0.8
IBM TXSeries for multiplatforms IBM / TXSeries	`cpe:/a:ibm:txseries:for_multiplatforms`	for multiplatforms
IBM DataPower Gateway 10.6.1.0-10.6.6.0 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.1.0_-_10.6.6.0`	10.6.1.0-10.6.6.0
IBM Operational Decision Manager 8.11.1.0 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.1.0`	8.11.1.0
IBM i 7.4 IBM / i	`cpe:/o:ibm:i:7.4`	7.4
IBM Operational Decision Manager 9.0.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.0.0.1`	9.0.0.1
IBM i 7.6 IBM / i	`cpe:/o:ibm:i:7.6`	7.6
IBM WebSphere Application Server Liberty <26.0.0.4 IBM / WebSphere Application Server		Liberty <26.0.0.4
IBM i 7.3 IBM / i	`cpe:/o:ibm:i:7.3`	7.3
IBM Operational Decision Manager 9.5.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.5.0.1`	9.5.0.1
IBM i 7.5 IBM / i	`cpe:/o:ibm:i:7.5`	7.5
IBM i 7.2 IBM / i	`cpe:/o:ibm:i:7.2`	7.2
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
IBM Operational Decision Manager 8.11.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.0.1`	8.11.0.1
IBM Operational Decision Manager 8.12.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.12.0.1`	8.12.0.1

CVE-2026-1561

Affected products

Known affected 15 products

Product	Identifier	Version
IBM DataPower Gateway 10.6.0.0-10.6.0.8 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.0.0_-_10.6.0.8`	10.6.0.0-10.6.0.8
IBM TXSeries for multiplatforms IBM / TXSeries	`cpe:/a:ibm:txseries:for_multiplatforms`	for multiplatforms
IBM DataPower Gateway 10.6.1.0-10.6.6.0 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.1.0_-_10.6.6.0`	10.6.1.0-10.6.6.0
IBM Operational Decision Manager 8.11.1.0 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.1.0`	8.11.1.0
IBM i 7.4 IBM / i	`cpe:/o:ibm:i:7.4`	7.4
IBM Operational Decision Manager 9.0.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.0.0.1`	9.0.0.1
IBM i 7.6 IBM / i	`cpe:/o:ibm:i:7.6`	7.6
IBM WebSphere Application Server Liberty <26.0.0.4 IBM / WebSphere Application Server		Liberty <26.0.0.4
IBM i 7.3 IBM / i	`cpe:/o:ibm:i:7.3`	7.3
IBM Operational Decision Manager 9.5.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.5.0.1`	9.5.0.1
IBM i 7.5 IBM / i	`cpe:/o:ibm:i:7.5`	7.5
IBM i 7.2 IBM / i	`cpe:/o:ibm:i:7.2`	7.2
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
IBM Operational Decision Manager 8.11.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.0.1`	8.11.0.1
IBM Operational Decision Manager 8.12.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.12.0.1`	8.12.0.1

CVE-2026-29063

Affected products

Known affected 15 products

Product	Identifier	Version
IBM DataPower Gateway 10.6.0.0-10.6.0.8 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.0.0_-_10.6.0.8`	10.6.0.0-10.6.0.8
IBM TXSeries for multiplatforms IBM / TXSeries	`cpe:/a:ibm:txseries:for_multiplatforms`	for multiplatforms
IBM DataPower Gateway 10.6.1.0-10.6.6.0 IBM / DataPower Gateway	`cpe:/a:ibm:datapower_gateway:10.6.1.0_-_10.6.6.0`	10.6.1.0-10.6.6.0
IBM Operational Decision Manager 8.11.1.0 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.1.0`	8.11.1.0
IBM i 7.4 IBM / i	`cpe:/o:ibm:i:7.4`	7.4
IBM Operational Decision Manager 9.0.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.0.0.1`	9.0.0.1
IBM i 7.6 IBM / i	`cpe:/o:ibm:i:7.6`	7.6
IBM WebSphere Application Server Liberty <26.0.0.4 IBM / WebSphere Application Server		Liberty <26.0.0.4
IBM i 7.3 IBM / i	`cpe:/o:ibm:i:7.3`	7.3
IBM Operational Decision Manager 9.5.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:9.5.0.1`	9.5.0.1
IBM i 7.5 IBM / i	`cpe:/o:ibm:i:7.5`	7.5
IBM i 7.2 IBM / i	`cpe:/o:ibm:i:7.2`	7.2
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
IBM Operational Decision Manager 8.11.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.11.0.1`	8.11.0.1
IBM Operational Decision Manager 8.12.0.1 IBM / Operational Decision Manager	`cpe:/a:ibm:operational_decision_manager:8.12.0.1`	8.12.0.1

References

13 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.ibm.com/support/pages/node/7267345	external
https://www.ibm.com/support/pages/node/7267347	external
https://www.ibm.com/support/pages/node/7267351	external
https://www.ibm.com/support/pages/node/7267362	external
https://www.ibm.com/support/pages/node/7268448	external
https://www.ibm.com/support/pages/node/7268625	external
https://www.ibm.com/support/pages/node/7271938	external
https://www.ibm.com/support/pages/node/7271941	external
https://www.ibm.com/support/pages/node/7272317	external
https://www.ibm.com/support/pages/node/7272287	external
https://www.ibm.com/support/pages/node/7272823	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM WebSphere Application Server ist ein J2EE-Applikationsserver.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in IBM WebSphere Application Server Liberty ausnutzen, um seine Privilegien zu erh\u00f6hen, Sicherheitsma\u00dfnahmen zu umgehen und Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0845 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0845.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0845 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0845"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2026-03-24",
        "url": "https://www.ibm.com/support/pages/node/7267345"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2026-03-24",
        "url": "https://www.ibm.com/support/pages/node/7267347"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2026-03-24",
        "url": "https://www.ibm.com/support/pages/node/7267351"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2026-03-24",
        "url": "https://www.ibm.com/support/pages/node/7267362"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7268448 vom 2026-04-02",
        "url": "https://www.ibm.com/support/pages/node/7268448"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7268625 vom 2026-04-06",
        "url": "https://www.ibm.com/support/pages/node/7268625"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7271938 vom 2026-05-07",
        "url": "https://www.ibm.com/support/pages/node/7271938"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7271941 vom 2026-05-07",
        "url": "https://www.ibm.com/support/pages/node/7271941"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7272317 vom 2026-05-07",
        "url": "https://www.ibm.com/support/pages/node/7272317"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7272287 vom 2026-05-07",
        "url": "https://www.ibm.com/support/pages/node/7272287"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7272823 vom 2026-05-13",
        "url": "https://www.ibm.com/support/pages/node/7272823"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM WebSphere Application Server Liberty: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-14T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-15T08:46:02.581+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0845",
      "initial_release_date": "2026-03-24T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-24T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-25T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2025-209020, EUVD-2026-15982, EUVD-2025-209021"
        },
        {
          "date": "2026-04-06T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "10.6.0.0-10.6.0.8",
                "product": {
                  "name": "IBM DataPower Gateway 10.6.0.0-10.6.0.8",
                  "product_id": "T052395",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:datapower_gateway:10.6.0.0_-_10.6.0.8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "10.6.1.0-10.6.6.0",
                "product": {
                  "name": "IBM DataPower Gateway 10.6.1.0-10.6.6.0",
                  "product_id": "T052396",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:datapower_gateway:10.6.1.0_-_10.6.6.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "DataPower Gateway"
          },
          {
            "category": "product_name",
            "name": "IBM MQ",
            "product": {
              "name": "IBM MQ",
              "product_id": "T021398",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:mq:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.11.1.0",
                "product": {
                  "name": "IBM Operational Decision Manager 8.11.1.0",
                  "product_id": "06578EE6-A586-4789-BE88-3E269B0868D5",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:8.11.1.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9.0.0.1",
                "product": {
                  "name": "IBM Operational Decision Manager 9.0.0.1",
                  "product_id": "07A5E294-8A94-42D5-B418-207BAE046F8E",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:9.0.0.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.11.0.1",
                "product": {
                  "name": "IBM Operational Decision Manager 8.11.0.1",
                  "product_id": "1587022",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:8.11.0.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.12.0.1",
                "product": {
                  "name": "IBM Operational Decision Manager 8.12.0.1",
                  "product_id": "1587024",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:8.12.0.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9.5.0.1",
                "product": {
                  "name": "IBM Operational Decision Manager 9.5.0.1",
                  "product_id": "T050692",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:9.5.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Operational Decision Manager"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for multiplatforms",
                "product": {
                  "name": "IBM TXSeries for multiplatforms",
                  "product_id": "T036617",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:txseries:for_multiplatforms"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "TXSeries"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Liberty \u003c26.0.0.4",
                "product": {
                  "name": "IBM WebSphere Application Server Liberty \u003c26.0.0.4",
                  "product_id": "T052106"
                }
              },
              {
                "category": "product_version",
                "name": "Liberty 26.0.0.4",
                "product": {
                  "name": "IBM WebSphere Application Server Liberty 26.0.0.4",
                  "product_id": "T052106-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:websphere_application_server:liberty__26.0.0.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "WebSphere Application Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.5",
                "product": {
                  "name": "IBM i 7.5",
                  "product_id": "1174902",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:i:7.5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.2",
                "product": {
                  "name": "IBM i 7.2",
                  "product_id": "312854",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:i:7.2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.4",
                "product": {
                  "name": "IBM i 7.4",
                  "product_id": "542823",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:i:7.4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.3",
                "product": {
                  "name": "IBM i 7.3",
                  "product_id": "918504",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:i:7.3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6",
                "product": {
                  "name": "IBM i 7.6",
                  "product_id": "T052391",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:i:7.6"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "i"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-14915",
      "product_status": {
        "known_affected": [
          "T052395",
          "T036617",
          "T052396",
          "06578EE6-A586-4789-BE88-3E269B0868D5",
          "542823",
          "07A5E294-8A94-42D5-B418-207BAE046F8E",
          "T052391",
          "T052106",
          "918504",
          "T050692",
          "1174902",
          "312854",
          "T021398",
          "1587022",
          "1587024"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-14915"
    },
    {
      "cve": "CVE-2025-14917",
      "product_status": {
        "known_affected": [
          "T052395",
          "T036617",
          "T052396",
          "06578EE6-A586-4789-BE88-3E269B0868D5",
          "542823",
          "07A5E294-8A94-42D5-B418-207BAE046F8E",
          "T052391",
          "T052106",
          "918504",
          "T050692",
          "1174902",
          "312854",
          "T021398",
          "1587022",
          "1587024"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-14917"
    },
    {
      "cve": "CVE-2026-1561",
      "product_status": {
        "known_affected": [
          "T052395",
          "T036617",
          "T052396",
          "06578EE6-A586-4789-BE88-3E269B0868D5",
          "542823",
          "07A5E294-8A94-42D5-B418-207BAE046F8E",
          "T052391",
          "T052106",
          "918504",
          "T050692",
          "1174902",
          "312854",
          "T021398",
          "1587022",
          "1587024"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-1561"
    },
    {
      "cve": "CVE-2026-29063",
      "product_status": {
        "known_affected": [
          "T052395",
          "T036617",
          "T052396",
          "06578EE6-A586-4789-BE88-3E269B0868D5",
          "542823",
          "07A5E294-8A94-42D5-B418-207BAE046F8E",
          "T052391",
          "T052106",
          "918504",
          "T050692",
          "1174902",
          "312854",
          "T021398",
          "1587022",
          "1587024"
        ]
      },
      "release_date": "2026-03-24T23:00:00.000+00:00",
      "title": "CVE-2026-29063"
    }
  ]
}

CVE-2025-14915 (GCVE-0-2025-14915)

Vulnerability from cvelistv5 – Published: 2026-03-25 20:12 – Updated: 2026-03-27 03:55

Title

IBM WebSphere Application Server Liberty is affected by a privilege escalation vulnerability

Summary

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

ibm

References

1 reference

URL	Tags
https://www.ibm.com/support/pages/node/7267345	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
IBM	WebSphere Application Server - Liberty	Affected: 17.0.0.3 , ≤ 26.0.0.3 (semver) cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:::::::* cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14915",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T03:55:36.433Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:*:*:*:*:*:*:*"
          ],
          "product": "WebSphere Application Server - Liberty",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "26.0.0.3",
              "status": "affected",
              "version": "17.0.0.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.\u003c/p\u003e"
            }
          ],
          "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T20:17:59.777Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7267345"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR\u0026nbsp;PH70327. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to\u0026nbsp;\u003ca title=\"How to determine if Liberty is using a specific feature\" href=\"https://www.ibm.com/support/pages/node/6553910\" rel=\"nofollow\"\u003eHow to determine if Liberty is using a specific feature\u003c/a\u003e.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the restConnector-1.0 or restConnector-2.0 feature(s):\u0026nbsp;\u003c/strong\u003e\u003cbr\u003e\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/pages/node/7266844\" rel=\"nofollow\"\u003ePH70327\u003c/a\u003e\u0026nbsp;\u003cbr\u003e--OR--\u003cbr\u003e\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\u0026nbsp;\u003cbr\u003e\u003cbr\u003eAdditional interim fixes may be available and linked off the interim fix download page.\u003c/p\u003e"
            }
          ],
          "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR\u00a0PH70327. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to\u00a0 How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .\u00a0\n\nFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the restConnector-1.0 or restConnector-2.0 feature(s):\u00a0\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves\u00a0 PH70327 https://www.ibm.com/support/pages/node/7266844 \u00a0\n--OR--\n\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\u00a0\n\nAdditional interim fixes may be available and linked off the interim fix download page."
        }
      ],
      "title": "IBM WebSphere Application Server Liberty is affected by a privilege escalation vulnerability",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-14915",
    "datePublished": "2026-03-25T20:12:27.207Z",
    "dateReserved": "2025-12-18T19:51:26.277Z",
    "dateUpdated": "2026-03-27T03:55:36.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14917 (GCVE-0-2025-14917)

Vulnerability from cvelistv5 – Published: 2026-03-25 20:13 – Updated: 2026-03-27 03:55

Title

IBM WebSphere Application Server Liberty could provide weaker than expected security

Summary

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.

Severity

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-1393 - Use of Default Password

Assigner

ibm

References

1 reference

URL	Tags
https://www.ibm.com/support/pages/node/7267362	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
IBM	WebSphere Application Server - Liberty	Affected: 17.0.0.3 , ≤ 26.0.0.3 (semver) cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:::::::* cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T03:55:36.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:*:*:*:*:*:*:*"
          ],
          "product": "WebSphere Application Server - Liberty",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "26.0.0.3",
              "status": "affected",
              "version": "17.0.0.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.\u003c/p\u003e"
            }
          ],
          "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393 Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T20:19:13.832Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7267362"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR\u0026nbsp;PH70078.\u0026nbsp;To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to\u0026nbsp;\u003ca title=\"How to determine if Liberty is using a specific feature\" href=\"https://www.ibm.com/support/pages/node/6553910\" rel=\"nofollow\"\u003eHow to determine if Liberty is using a specific feature\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAttention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation.\u003c/strong\u003e\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s):\u0026nbsp;\u003c/strong\u003e\u003cbr\u003e\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/pages/node/7266845\" rel=\"nofollow\"\u003ePH70078\u003c/a\u003e\u0026nbsp;\u003cstrong\u003eand carefully follow the instructions for steps required after fix installation.\u003c/strong\u003e\u003cbr\u003e--OR--\u003cbr\u003e\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\u003cbr\u003e\u003cbr\u003eAdditional interim fixes may be available and linked off the interim fix download page.\u003c/p\u003e"
            }
          ],
          "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR\u00a0PH70078.\u00a0To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to\u00a0 How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .\u00a0\n\nAttention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation.\n\nFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s):\u00a0\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves\u00a0 PH70078 https://www.ibm.com/support/pages/node/7266845 \u00a0and carefully follow the instructions for steps required after fix installation.\n--OR--\n\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\n\nAdditional interim fixes may be available and linked off the interim fix download page."
        }
      ],
      "title": "IBM WebSphere Application Server Liberty could provide weaker than expected security",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-14917",
    "datePublished": "2026-03-25T20:13:55.049Z",
    "dateReserved": "2025-12-18T19:59:28.180Z",
    "dateUpdated": "2026-03-27T03:55:36.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1561 (GCVE-0-2026-1561)

Vulnerability from cvelistv5 – Published: 2026-03-25 20:10 – Updated: 2026-03-26 15:37

Title

IBM WebSphere Application Server Liberty Server-Side Request Forgery

Summary

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

ibm

References

1 reference

URL	Tags
https://www.ibm.com/support/pages/node/7267347	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
IBM	WebSphere Application Server Liberty	Affected: 17.0.0.3 , ≤ 26.0.0.3 (semver) cpe:2.3:a:ibm:websphere_application_server:17.0.0.3::::liberty::: cpe:2.3:a:ibm:websphere_application_server:26.0.0.3::::liberty:::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1561",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T15:37:08.406562Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T15:37:14.525Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server:26.0.0.3:*:*:*:liberty:*:*:*"
          ],
          "product": "WebSphere Application Server Liberty",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "26.0.0.3",
              "status": "affected",
              "version": "17.0.0.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.\u003c/p\u003e"
            }
          ],
          "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T20:11:57.041Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7267347"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70017 . To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature . For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the samlWeb-2.0 feature: \u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70017 --OR-- \u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026). Additional interim fixes may be available and linked off the interim fix download page.\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70017 . To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature . For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the samlWeb-2.0 feature: \u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70017 --OR-- \u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026). Additional interim fixes may be available and linked off the interim fix download page."
        }
      ],
      "title": "IBM WebSphere Application Server Liberty  Server-Side Request Forgery",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2026-1561",
    "datePublished": "2026-03-25T20:10:10.168Z",
    "dateReserved": "2026-01-28T19:33:31.826Z",
    "dateUpdated": "2026-03-26T15:37:14.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29063 (GCVE-0-2026-29063)

Vulnerability from cvelistv5 – Published: 2026-03-06 18:25 – Updated: 2026-03-06 19:33

Title

Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Summary

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/immutable-js/immutable-js/secu…	x_refsource_CONFIRM
https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC
https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC
https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
immutable-js	immutable-js	Affected: < 3.8.3 Affected: < 4.3.7 Affected: < 5.1.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T19:32:37.694711Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T19:33:31.642Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "immutable-js",
          "vendor": "immutable-js",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.8.3"
            },
            {
              "status": "affected",
              "version": "\u003c 4.3.7"
            },
            {
              "status": "affected",
              "version": "\u003c 5.1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T18:25:22.438Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5"
        }
      ],
      "source": {
        "advisory": "GHSA-wf6x-7x77-mvgw",
        "discovery": "UNKNOWN"
      },
      "title": "Immutable.js: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in immutable"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29063",
    "datePublished": "2026-03-06T18:25:22.438Z",
    "dateReserved": "2026-03-03T20:51:43.481Z",
    "dateUpdated": "2026-03-06T19:33:31.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0845

CVE-2025-14915 (GCVE-0-2025-14915)

CVE-2025-14917 (GCVE-0-2025-14917)

CVE-2026-1561 (GCVE-0-2026-1561)

CVE-2026-29063 (GCVE-0-2026-29063)

Tags

Sightings

Nomenclature