SB2026040733 - Multiple vulnerabilities in IBM Maximo Application Suite
Published: April 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Type Confusion (CVE-ID: CVE-2025-61911)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a type confusion error in ldap.filter.escape_filter_chars. A remote attacker can perform ldap injection attack and disclose or manipulate ldap data.
2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-61912)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper encoding or escaping of output in the "ldap.dn.escape_dn_chars()" function. A remote attacker can perform a denial of service (DoS) attack.
3) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-27199)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the "safe_join" function allows Windows device names as filenames if when preceded by other path segments. A remote attacker can cause reading of the file to hang indefinitely.
4) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-21860)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.