Filtered by vendor Ibm
Subscriptions
Total
8373 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8505 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 9.8 Critical |
| IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE). | ||||
| CVE-2026-7755 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 8.8 High |
| IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow remote code execution due to incomplete validation enforcement on MCP server configuration files. | ||||
| CVE-2026-15093 | 1 Ibm | 1 Engineering Ai Hub | 2026-07-17 | 4.3 Medium |
| IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to redirect users to malicious websites due to improper validation of user-supplied URLs. | ||||
| CVE-2026-13445 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 8.1 High |
| IBM Langflow OSS 1.0.0 through 1.10.1 can allow an authenticated attacker to exploit the SaveToFile component to read and modify another user's uploaded files by specifying absolute paths pointing to victim storage locations. In append mode, the attacker's workflow reads victim file contents, appends attacker-controlled data, and uploads a copy containing victim data to the attacker's namespace (confidentiality breach). In overwrite mode, the attacker can replace victim file contents with arbitrary data (integrity breach). This breaks the storage ownership boundary between users. | ||||
| CVE-2026-13446 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 9.8 Critical |
| IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | ||||
| CVE-2026-13448 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 8.1 High |
| IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint ( /api/v1/build_public_tmp/{flow_id}/flow ). The vulnerability stems from an incomplete denylist in the validate_public_flow_no_code_execution() function that fails to block several code-execution agent components including OpenDsStarAgent, CodeActAgentSmolagents, and CSVAgent. | ||||
| CVE-2026-13473 | 1 Ibm | 1 Storage Protect Client | 2026-07-17 | 8.1 High |
| IBM Storage Protect Client 8.1.0.0 through 8.1.27.0, 8.1.27.1, and 8.2.0.0 through 8.2.1.0 IBM Storage Protect is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash. | ||||
| CVE-2026-14499 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 8.8 High |
| IBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input in the Python Interpreter component. | ||||
| CVE-2026-14501 | 1 Ibm | 2 Agentics, Db2 Genius Hub | 2026-07-17 | 4.3 Medium |
| IBM Db2 Genius Hub 1.1, 1.1.1, 1.1.2 and IBM Agentics 1.0 could allow an attacker to execute arbitrary code or obtain sensitive information due to the use of dangerous functions without sufficient restrictions. | ||||
| CVE-2026-14971 | 1 Ibm | 1 Powervm Novalink | 2026-07-17 | 3.9 Low |
| IBM PowerVM Novalink 2.2.02.2.12.2.1.1, and 2.3.02.3.0.12.3.12.3.2 IBM NovaLink APIs misconfiguration may increase attack surface and enable unintended or unauthorized operations under non-default conditions. | ||||
| CVE-2026-14979 | 1 Ibm | 1 Engineering Lifecycle Management | 2026-07-17 | 5.3 Medium |
| IBM Engineering Lifecycle Management 7.0.3 ( Interim Fix 001 through ) Interim Fix 021, 7.1.0 ( Interim Fix 001 through ) Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 DOORS could allow a remote attacker to cause a denial of service due to improper handling of XML entity expansion. | ||||
| CVE-2026-9202 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 9.8 Critical |
| IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN. | ||||
| CVE-2026-7754 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 7.7 High |
| IBM Langflow OSS 1.0.0 through 1.10.0 Langflow 1.9.0 could allow server-side request forgery (SSRF) due to insecure default configuration and incomplete enforcement of the SSRF protection mechanism. | ||||
| CVE-2026-15069 | 1 Ibm | 1 Engineering Ai Hub | 2026-07-17 | 5.4 Medium |
| IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary script code due to improper neutralization of input during web page generation. | ||||
| CVE-2026-8481 | 1 Ibm | 1 Langflow Oss | 2026-07-17 | 9.9 Critical |
| IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process. | ||||
| CVE-2026-15091 | 1 Ibm | 1 Engineering Ai Hub | 2026-07-17 | 9.3 Critical |
| IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary scripts due to improper neutralization of input during web page generation. | ||||
| CVE-2026-15322 | 1 Ibm | 1 Engineering Ai Hub | 2026-07-17 | 7.5 High |
| IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to obtain sensitive information due to the exposure of session tokens in URLs. | ||||
| CVE-2026-15995 | 1 Ibm | 1 Cognos Analytics | 2026-07-17 | 5.4 Medium |
| IBM Cognos Analytics 12.1.3 GA Version with build number through 12.1.3-2606251736 could allow an attacker to obtain incorrect report summary results or cause report-processing failures due to a race condition in the Agentic AI assistant's concurrent request-handling logic when multiple authenticated users submit report-related tasks simultaneously. | ||||
| CVE-2026-4938 | 1 Ibm | 4 Security Verify Access, Security Verify Access Container, Verify Identity Access and 1 more | 2026-07-17 | 6.5 Medium |
| IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow an attacker with read-only privileges to make unauthorized modifications and deployments outside of their assigned permissions. | ||||
| CVE-2026-4942 | 1 Ibm | 1 I | 2026-07-17 | 5.9 Medium |
| IBM i 7.6, 7.5, 7.4, and 7.3 could allow a remote attacker to send a specifically crafted message and downgrade the Transport Layer Security (TLS) protocol to a version disabled in the server configuration. | ||||