SB2026031210 - Multiple vulnerabilities in IBM WatsonX BI Assistant for CP4D

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026031210

SB2026031210 - Multiple vulnerabilities in IBM WatsonX BI Assistant for CP4D

Published: March 12, 2026

Security Bulletin ID SB2026031210
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper verification of cryptographic signature (CVE-ID: CVE-2025-65945)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper signature verification under specific conditions when using the HS256 algorithm within the jws.createVerify() function. A remote attacker can manipulate header or payload in the HMAC secret lookup routines and bypass authorization checks. 


2) Interpretation conflict (CVE-ID: CVE-2025-12816)

The vulnerability allows a remote attacker to bypass downstream cryptographic verification and security decisions.

The vulnerability exists due to incorrect validation of ASN.1 structures within the asn1.validate() function in forge/lib/asn1.js. A remote non-authenticated attacker can use specially crafted ASN.1 structures to desynchronize DER schema validations and bypass downstream cryptographic verification and security decisions.


3) Integer overflow (CVE-ID: CVE-2025-66030)

The vulnerability allows a remote attacker to perform spoofing attack. 

The vulnerability exists due to integer overflow within the asn1.derToOid() function in forge/lib/asn1.js when parsing ASN.1 structures containing OIDs with oversized arcs. A remote attacker can construct a specially crafted ASN.1 object to spoof an OID and bypass downstream OID-based security decisions.


4) Uncontrolled recursion (CVE-ID: CVE-2025-66031)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion within the asn1.fromDer() function in forge/lib/asn1.js. A remote non-authenticated attacker can pass specially crafted deep ASN.1 structures to trigger unbounded recursive parsing and perform a denial of service attack.


5) Missing Origin Validation in WebSockets (CVE-ID: CVE-2025-48068)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing origin validation on the WebSocket interface  if the project uses the App Router. When running next dev, a malicious website can open a WebSocket connection to localhost and access component source code.


6) Inefficient regular expression complexity (CVE-ID: CVE-2025-5889)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


Remediation

Install update from vendor's website.

References