SB2026040225 - Multiple vulnerabilities in IBM Guardium Data Security Center

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040225

SB2026040225 - Multiple vulnerabilities in IBM Guardium Data Security Center

Published: April 2, 2026

Security Bulletin ID SB2026040225
CSH Severity
High
Patch available
YES
Number of vulnerabilities 26
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 4% Medium 65% Low 31%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 26 vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-61726)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the Request.ParseForm method in net/http when parsing a URL-encoded form. A remote attacker can pass an overly large request with a large number of key-value pairs and consume all available memory on the system. 


2) Improper certificate validation (CVE-ID: CVE-2025-61727)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in crypto/x509 due to incorrect handling of wildcard SANs in the leaf certificate when processing excluded constraint in a certificate chain. A remote attacker can create a specially crafted certificate and bypass implemented domain restrictions and perform MitM or phishing attacks.


3) Input validation error (CVE-ID: CVE-2025-61728)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing zip archives. A remote attacker can pass specially crafted zip archive to the application and perform a denial of service (DoS) attack.


4) Resource exhaustion (CVE-ID: CVE-2025-61729)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the HostnameError.Error() function in crypto/x509 when printing error string for host certificate validation. A remote attacker can supply a specially crafted certificate to the application and trigger resource exhaustion, leading to a denial of service condition. 


5) Race condition (CVE-ID: CVE-2025-61730)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to a race condition when handling multiple messages during TLS 1.3 handshake. A remote attacker with ability to inject messages during the handshake can gain access to sensitive information. 


6) Improper Certificate Validation (CVE-ID: CVE-2025-68121)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation within HTTP/3 connections. A remote attacker can cause cause a client to resume a session with a server that it would not have resumed with during the initial handshake


7) Reachable Assertion (CVE-ID: CVE-2021-31294)

CWE-ID: CWE-617 - Reachable Assertion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Redis allows a replica to cause an assertion failure in a primary server. A remote attacker can send a non-administrative command (specifically, a SET command) to perform a denial of service (DoS) attack.


8) Uncontrolled recursion (CVE-ID: CVE-2026-0994)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to uncontrolled recursion in within the google.protobuf.json_format.ParseDict(). A remote attacker can pass specially crafted input to the application and perform a denial of service attack. 


9) Incorrect Regular Expression (CVE-ID: CVE-2026-25896)

CWE-ID: CWE-185 - Incorrect Regular Expression

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient input validation when processing regular expressions in DOCTYPE entity names. A remote attacker can bypass the XML entity encoding.


10) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-27148)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. A remote unauthenticated attacker can trick the victim into visiting a malicious website while their local Storybook dev server is running.


11) Uncaught Exception (CVE-ID: CVE-2026-25128)

CWE-ID: CWE-248 - Uncaught Exception

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the RangeError issue in the numeric entity. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


12) NULL pointer dereference (CVE-ID: CVE-2026-26278)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the replaceEntitiesValue() function in OrderedObjParser.js. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


13) Prototype pollution (CVE-ID: CVE-2025-13465)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to alter application's behavior. 

The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.


14) Prototype pollution (CVE-ID: CVE-2025-64718)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution attacks.


15) Link following (CVE-ID: CVE-2025-54798)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to modify data on the system.

The vulnerability exists due to an insecure link following issue. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.


16) OS Command Injection (CVE-ID: CVE-2025-64756)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


17) Inefficient regular expression complexity (CVE-ID: CVE-2025-69873)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation, when the $data option is enabled. A local user can can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.


18) Resource exhaustion (CVE-ID: CVE-2025-15284)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the arrayLimit option does not enforce limits for bracket notation (a[]=1&a[]=2). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


19) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-25639)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling within proto Key in mergeConfig. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


20) Improper Handling of Unexpected Data Type (CVE-ID: CVE-2025-7339)

CWE-ID: CWE-241 - Improper Handling of Unexpected Data Type

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can inadvertently modify response headers when an array is passed to `response.writeHead()`


21) Inefficient regular expression complexity (CVE-ID: CVE-2026-26996)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within "minimatch" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


22) Inefficient regular expression complexity (CVE-ID: CVE-2025-5889)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


23) Input validation error (CVE-ID: CVE-2026-2391)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due the arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled. A remote attacker can pass overly large string to the application and consume all available memory resources, leading to a denial of service condition.



24) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName"  system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic. 


25) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-68157)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear


The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when "experiments.buildHttp" is enabled. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


26) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-68458)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear


The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when experiments.buildHttp is enabled. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


Remediation

Install update from vendor's website.

References