SB2026052512 - Multiple vulnerabilities in IBM Cognos Analytics Mobile

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052512

SB2026052512 - Multiple vulnerabilities in IBM Cognos Analytics Mobile

Published: May 25, 2026

Security Bulletin ID SB2026052512
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 9% Medium 82% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 vulnerabilities.


1) NULL pointer dereference (CVE-ID: CVE-2026-26278)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the replaceEntitiesValue() function in OrderedObjParser.js. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-25639)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling within proto Key in mergeConfig. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


3) XML Entity Expansion (CVE-ID: CVE-2026-33036)

CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper restriction of entity expansion in replaceEntitiesValue() in src/xmlparser/OrderedObjParser.js when parsing XML input containing numeric character references or standard XML entities. A remote attacker can send specially crafted XML input with massive numbers of numeric entity references to cause a denial of service.

The configured entity expansion limits are enforced only for DOCTYPE-defined entities, while numeric character references and standard XML entities are processed through a separate code path without expansion counting.


4) Input validation error (CVE-ID: CVE-2026-27942)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in arrToStr in XMLBuilder when processing input with preserveOrder enabled. A remote user can supply specially crafted input to cause a denial of service.

Only applications using the XML builder with preserveOrder set to true are vulnerable.


5) OS Command Injection (CVE-ID: CVE-2025-11953)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red


The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the Metro Development Server at the "/open-url" endpoint. A remote unauthenticated attacker can send a specially crafted HTTP POST request to the affected endpoint and execute arbitrary OS commands on the target system.

On Windows installations the attackers can also fully control arguments when executing arbitrary OS commands. 


6) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-33349)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in input in DocTypeReader when parsing XML input with entity processing limits set to 0. A remote attacker can supply a specially crafted XML document with many large entity definitions to cause a denial of service.

Only applications that explicitly set maxEntityCount or maxEntitySize to 0 are affected. The default configuration is not affected, and configurations with entity processing disabled are not affected.


7) Incorrect Regular Expression (CVE-ID: CVE-2026-25896)

CWE-ID: CWE-185 - Incorrect Regular Expression

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient input validation when processing regular expressions in DOCTYPE entity names. A remote attacker can bypass the XML entity encoding.


8) Interpretation conflict (CVE-ID: CVE-2025-12816)

CWE-ID: CWE-436 - Interpretation Conflict

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass downstream cryptographic verification and security decisions.

The vulnerability exists due to incorrect validation of ASN.1 structures within the asn1.validate() function in forge/lib/asn1.js. A remote non-authenticated attacker can use specially crafted ASN.1 structures to desynchronize DER schema validations and bypass downstream cryptographic verification and security decisions.


9) Integer overflow (CVE-ID: CVE-2025-66030)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform spoofing attack. 

The vulnerability exists due to integer overflow within the asn1.derToOid() function in forge/lib/asn1.js when parsing ASN.1 structures containing OIDs with oversized arcs. A remote attacker can construct a specially crafted ASN.1 object to spoof an OID and bypass downstream OID-based security decisions.


10) Uncontrolled recursion (CVE-ID: CVE-2025-66031)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion within the asn1.fromDer() function in forge/lib/asn1.js. A remote non-authenticated attacker can pass specially crafted deep ASN.1 structures to trigger unbounded recursive parsing and perform a denial of service attack.


11) Inefficient regular expression complexity (CVE-ID: CVE-2026-26996)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within "minimatch" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


Remediation

Install update from vendor's website.

References