SB2026040225 - Multiple vulnerabilities in IBM Guardium Data Security Center
Published: April 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-61726)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the Request.ParseForm method in net/http when parsing a URL-encoded form. A remote attacker can pass an overly large request with a large number of key-value pairs and consume all available memory on the system.
2) Improper certificate validation (CVE-ID: CVE-2025-61727)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in crypto/x509 due to incorrect handling of wildcard SANs in the leaf certificate when processing excluded constraint in a certificate chain. A remote attacker can create a specially crafted certificate and bypass implemented domain restrictions and perform MitM or phishing attacks.
3) Input validation error (CVE-ID: CVE-2025-61728)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing zip archives. A remote attacker can pass specially crafted zip archive to the application and perform a denial of service (DoS) attack.
4) Resource exhaustion (CVE-ID: CVE-2025-61729)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the HostnameError.Error() function in crypto/x509 when printing error string for host certificate validation. A remote attacker can supply a specially crafted certificate to the application and trigger resource exhaustion, leading to a denial of service condition.
5) Race condition (CVE-ID: CVE-2025-61730)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a race condition when handling multiple messages during TLS 1.3 handshake. A remote attacker with ability to inject messages during the handshake can gain access to sensitive information.
6) Improper Certificate Validation (CVE-ID: CVE-2025-68121)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation within HTTP/3 connections. A remote attacker can cause cause a client to resume a session with a server that it would not have resumed with during the initial handshake
7) Reachable Assertion (CVE-ID: CVE-2021-31294)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Redis allows a replica to cause an assertion failure in a primary server. A remote attacker can send a non-administrative command (specifically, a SET command) to perform a denial of service (DoS) attack.
8) Uncontrolled recursion (CVE-ID: CVE-2026-0994)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to uncontrolled recursion in within the google.protobuf.json_format.ParseDict(). A remote attacker can pass specially crafted input to the application and perform a denial of service attack.
9) Incorrect Regular Expression (CVE-ID: CVE-2026-25896)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient input validation when processing regular expressions in DOCTYPE entity names. A remote attacker can bypass the XML entity encoding.
10) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-27148)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. A remote unauthenticated attacker can trick the victim into visiting a malicious website while their local Storybook dev server is running.
11) Uncaught Exception (CVE-ID: CVE-2026-25128)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the RangeError issue in the numeric entity. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
12) NULL pointer dereference (CVE-ID: CVE-2026-26278)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the replaceEntitiesValue() function in OrderedObjParser.js. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
13) Prototype pollution (CVE-ID: CVE-2025-13465)
The vulnerability allows a remote attacker to alter application's behavior.
The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.
14) Prototype pollution (CVE-ID: CVE-2025-64718)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution attacks.
15) Link following (CVE-ID: CVE-2025-54798)
The vulnerability allows a local user to modify data on the system.
The vulnerability exists due to an insecure link following issue. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
16) OS Command Injection (CVE-ID: CVE-2025-64756)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Inefficient regular expression complexity (CVE-ID: CVE-2025-69873)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to the pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation, when the $data option is enabled. A local user can can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
18) Resource exhaustion (CVE-ID: CVE-2025-15284)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the arrayLimit option does not enforce limits for bracket notation (a[]=1&a[]=2). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
19) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-25639)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within proto Key in mergeConfig. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.
20) Improper Handling of Unexpected Data Type (CVE-ID: CVE-2025-7339)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can inadvertently modify response headers when an array is passed to `response.writeHead()`
21) Inefficient regular expression complexity (CVE-ID: CVE-2026-26996)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within "minimatch" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
22) Inefficient regular expression complexity (CVE-ID: CVE-2025-5889)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
23) Input validation error (CVE-ID: CVE-2026-2391)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due the arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled. A remote attacker can pass overly large string to the application and consume all available memory resources, leading to a denial of service condition.
24) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.
25) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-68157)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when "experiments.buildHttp" is enabled. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
26) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-68458)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when experiments.buildHttp is enabled. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Remediation
Install update from vendor's website.