SB2026052217 - IBM Watson Speech Services Cartridge update for Spring MVC and WebFlux



SB2026052217 - IBM Watson Speech Services Cartridge update for Spring MVC and WebFlux

Published: May 22, 2026

Security Bulletin ID SB2026052217
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-22735)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to corrupt data streams sent to other users.

The vulnerability exists due to improper neutralization of special elements in Server-Sent Events handling in Spring MVC and Spring WebFlux when streaming plain text Server-Sent Events to clients. A remote user can control data that is streamed to other users to corrupt data streams sent to other users.

The issue is exposed only when plain text messages are used instead of a structured format such as JSON, and user interaction is required.


Remediation

Install update from vendor's website.