SB2026031939 - Multiple vulnerabilities in IBM Verify Identity Access Digital Credentials
Published: March 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-56200)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "A URL validation bypass vulnerability exists" when crafting URLs leading to XSS and Open Redirect attacks. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website .
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Race condition (CVE-ID: CVE-2025-64118)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a race condition when reading .tar archives. A local user modify the file to a smaller size wile it's being read by the application and view uninitialized memory contents.
3) Path traversal (CVE-ID: CVE-2025-59343)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to symlink validation bypass if the destination directory is predictable with a specific tarball. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Remediation
Install update from vendor's website.