SB2026031635 - Multiple vulnerabilities in IBM QRadar Suite
Published: March 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2025-57350)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
2) Prototype pollution (CVE-ID: CVE-2025-57352)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. A remote attacker can manipulate the prototype chain of JavaScript objects by processing malicious input involving the __proto__ property, leading to denial of service or arbitrary code execution.
3) Input validation error (CVE-ID: CVE-2025-9288)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a missing type check when handling untrusted input that can lead to calculation of invalid values or rewinding the hash state. A remote attacker can pass specially crafted data to the application and bypass implemented security restrictions.
4) Deserialization of Untrusted Data (CVE-ID: CVE-2020-7660)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the function "deleteFunctions" within "index.js". A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
5) Infinite loop (CVE-ID: CVE-2025-62727)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can send a specially crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic and cause denial of service conditions.
6) Improper authorization (CVE-ID: CVE-2024-51479)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when handling authorization requests based on pathname. A remote attacker can bypass authorization and gain access to sensitive information.
7) Input validation error (CVE-ID: CVE-2025-9287)
The vulnerability allows a remote attacker to manipulate data or perform a denial of service attack.
The vulnerability exists due to a missing type check of untrusted input. A remote attacker can manipulate data representation within the application, which can lead to denial of service conditions or various calculation errors when handling private keys or hashes.
8) Race condition (CVE-ID: CVE-2025-32421)
The vulnerability allows a remote attacker to gain access to sensitive information or perform spoofing attack.
The vulnerability exists due to a race condition within the Pages Router. A remote attacker can exploit the race and obtain pageProps data instead of standard HTML code and poison the CDN cache by injecting the response body from a non-cacheable data request (?__nextDataRequest=1) into a normal request that retains cacheable headers, such as Cache-Control: public, max-age=300.
9) Improper authorization (CVE-ID: CVE-2025-29927)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to missing authorization checks. A remote attacker can bypass authorization mechanism and compromise the affected application.
10) Missing Origin Validation in WebSockets (CVE-ID: CVE-2025-48068)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing origin validation on the WebSocket interface if the project uses the App Router. When running next dev, a malicious website can open a WebSocket connection to localhost and access component source code.
11) Input validation error (CVE-ID: CVE-2025-6545)
The vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to application silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algorithm strings. A remote attacker can perform a spoofing attack.
12) Input validation error (CVE-ID: CVE-2025-6547)
The vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input as the application silently disregards Uint8Array input. A remote attacker can spoof signature.
13) Input validation error (CVE-ID: CVE-2025-55173)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input within the Image Optimization feature. A remote attacker with control over external image sources can trigger file downloads with arbitrary content and filenames under specific configurations and perform phishing attacks.
14) Use of cache containing sensitive information (CVE-ID: CVE-2025-57752)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper cache management in Image Optimization API. A remote attacker can gain access to sensitive images cached by the application.
15) Resource exhaustion (CVE-ID: CVE-2024-47831)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the image optimization feature. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
16) Insufficient technical documentation (CVE-ID: CVE-2024-51744)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due due to unclear documentation of the error behavior in "ParseWithClaims". A remote attacker can trick the victim into accepting invalid tokens, which can lead to information disclosure.
17) Use of insufficiently random values (CVE-ID: CVE-2025-22150)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the application uses "Math.random()" from the fetch() function to choose the boundary for a "multipart/form-data" request. A remote attacker with ability to intercept traffic can tamper with the requests going to the backend APIs.
Remediation
Install update from vendor's website.