SB2026051336 - Multiple vulnerabilities in IBM TXSeries for Multiplatforms

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051336

SB2026051336 - Multiple vulnerabilities in IBM TXSeries for Multiplatforms

Published: May 13, 2026

Security Bulletin ID SB2026051336
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2025-14915)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application with the restConnector-1.0 or restConnector-2.0 feature enabled. A remote authenticated user can gain unauthorized access to sensitive information and escalate privileges within thin the application.


2) Weak password requirements (CVE-ID: CVE-2025-14917)

The vulnerability allows an attacker to perform a brute-force attack.

The vulnerability exists due to weak password requirements when the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature is enabled. As a result users can set weak passwords to access their accounts. A remote attacker can perform brute-force attack and gain unauthorized access to the application. 


3) Use of hard-coded cryptographic key (CVE-ID: CVE-2025-14923)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings. A local user can gain unauthorized access to sensitive information on the system.


4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-1561)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when the samlWeb-2.0 feature enabled. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


5) Prototype pollution (CVE-ID: CVE-2026-29063)

The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.

The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.

Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().


Remediation

Install update from vendor's website.

References