SB2026052217 - IBM Watson Speech Services Cartridge update for Spring MVC and WebFlux
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to corrupt data streams sent to other users.
The vulnerability exists due to improper neutralization of special elements in Server-Sent Events handling in Spring MVC and Spring WebFlux when streaming plain text Server-Sent Events to clients. A remote user can control data that is streamed to other users to corrupt data streams sent to other users.
The issue is exposed only when plain text messages are used instead of a structured format such as JSON, and user interaction is required.
Remediation
Install update from vendor's website.