SB20260515117 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260515117

SB20260515117 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Published: May 15, 2026

Security Bulletin ID SB20260515117
CSH Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Deserialization of Untrusted Data (CVE-ID: CVE-2025-14924)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the parsing of checkpoints. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Code Injection (CVE-ID: CVE-2025-14928)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the convert_config function. A remote attacker can trick a victim to convert a malicious checkpoint and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Deserialization of Untrusted Data (CVE-ID: CVE-2025-14929)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the parsing of checkpoints. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Deserialization of Untrusted Data (CVE-ID: CVE-2025-14930)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the parsing of weights. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Deserialization of Untrusted Data (CVE-ID: CVE-2025-14920)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the parsing of model files. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Deserialization of Untrusted Data (CVE-ID: CVE-2025-14921)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the parsing of model files. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Code Injection (CVE-ID: CVE-2025-14926)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the convert_config function. A remote attacker can trick a victim to convert a malicious checkpoint and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Code Injection (CVE-ID: CVE-2025-14927)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the convert_config function. A remote attacker can trick a victim to convert a malicious checkpoint and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References