SB2026042720 - Multiple vulnerabilities in IBM App Connect Enterprise

Description

This security bulletin contains information about 10 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-33916)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in resolvePartial() and invokePartial() in the Handlebars runtime when rendering a partial whose name is resolved through a polluted prototype chain. A remote attacker can pollute Object.prototype with a string value matching a partial reference to execute arbitrary script code in a victim's browser.

Exploitation requires a prototype pollution condition in the target application and user interaction to render a template that references the attacker-chosen partial name. The injected partial content is rendered without HTML escaping, which can result in reflected or stored cross-site scripting.

2) XML injection (CVE-ID: CVE-2026-34601)

CWE-ID: CWE-91 - XML Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to inject XML markup into serialized output.

The vulnerability exists due to improper neutralization of special elements in XMLSerializer CDATA serialization when serializing attacker-controlled CDATA content containing the CDATA terminator. A remote attacker can supply a crafted string that includes ]]> to inject XML markup into serialized output.

Applications are affected when they embed untrusted input inside CDATA sections in generated XML documents, and mutation methods such as appendData(), replaceData(), direct .data assignment, or .textContent assignment can also introduce the unsafe content.

3) Code Injection (CVE-ID: CVE-2026-33937)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in Handlebars.compile() and the JavaScript code generator when processing a crafted pre-parsed AST object. A remote attacker can supply a crafted AST with a malicious NumberLiteral value to execute arbitrary code.

The issue affects cases where user-controlled JSON or other untrusted input is deserialized and passed directly to compile() as an AST object instead of a template string, and no user interaction is required.

4) Code Injection (CVE-ID: CVE-2026-33938)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to code injection through type confusion in the @partial-block handling and dynamic compilation fallback when processing a tampered @partial-block value during partial invocation. A remote attacker can overwrite @partial-block with a crafted Handlebars AST to execute arbitrary code.

The issue affects handlebars.js when templates can reach and mutate the data frame, and a subsequent {{> @partial-block}} causes the crafted AST to be compiled and executed in the server process.

5) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-33939)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper check for unusual or exceptional conditions in template compilation in lib/handlebars/compiler/javascript-compiler.js when processing user-supplied templates containing decorator syntax that references an unregistered decorator. A remote attacker can submit a specially crafted template to cause a denial of service.

The issue occurs because the compiled template invokes the result of lookupProperty(decorators, ...) as a function even when it is undefined, leading to an unhandled TypeError that can crash the Node.js process. It affects applications that compile user-supplied templates at request time.

6) Code Injection (CVE-ID: CVE-2026-33940)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation caused by type confusion in dynamic partial handling in lib/handlebars/runtime.js when processing a dynamic partial lookup that returns a crafted object from the template context. A remote attacker can supply a crafted object as the looked-up dynamic partial value to execute arbitrary code.

The issue affects server-side rendering scenarios in which user-controlled context data can be returned by a dynamic partial lookup, such as {{> (lookup . "key")}}. Exploitation requires control over a value returned by the dynamic partial lookup.

7) Code Injection (CVE-ID: CVE-2026-33941)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a local user to execute arbitrary JavaScript code.

The vulnerability exists due to improper neutralization of user-controlled input in the Handlebars CLI precompiler when generating JavaScript output from template file names and CLI options. A local user can supply specially crafted template names or option values to execute arbitrary JavaScript code.

The issue affects bin/handlebars and lib/precompiler.js through multiple injection points involving template names, namespace values, CommonJS paths, and AMD paths, and the injected code executes when the generated bundle is loaded in Node.js or a browser. User interaction is required to load the generated bundle.

8) Prototype pollution (CVE-ID: CVE-2026-2950)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to modify object prototype attributes.

The vulnerability exists due to improper control of object prototype modification in _.unset and _.omit when processing array-wrapped path segments. A remote attacker can pass crafted path segments to modify object prototype attributes.

The bypass affects checks that only guard against string key members. The issue permits deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype, but does not allow overwriting their original behavior.

9) Code Injection (CVE-ID: CVE-2026-4800)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in _.template when processing untrusted options.imports key names. A remote attacker can supply crafted imports key names to execute arbitrary code.

Code execution occurs at template compilation time. If Object.prototype has been polluted by another vector, inherited polluted keys can also be copied into the imports object and passed to Function().

10) Command Injection (CVE-ID: CVE-2021-23337)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7270705