SB2026052633 - Multiple vulnerabilities in IBM InfoSphere Optim Archive Viewer

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052633

SB2026052633 - Multiple vulnerabilities in IBM InfoSphere Optim Archive Viewer

Published: May 26, 2026

Security Bulletin ID SB2026052633
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 25% Medium 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Race condition (CVE-ID: CVE-2026-24040)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to a race condition in the addJS method when generating PDFs concurrently. A remote attacker can trigger simultaneous PDF generation requests to disclose sensitive information.

This can cause a PDF generated for one user to contain JavaScript content and embedded sensitive data intended for another user.


2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-24043)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary XMP metadata into generated PDF documents.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the addMetadata function when processing unsanitized user-supplied metadata input. A remote attacker can supply crafted XML content to inject arbitrary XMP metadata into generated PDF documents.

This can spoof document identity information and undermine the integrity of PDFs that are signed, stored, or otherwise processed afterward.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-24133)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the BMPDecoder when parsing user-supplied BMP image data or URLs via the addImage or html methods. A remote attacker can provide a specially crafted BMP file with large width or height header values to cause a denial of service.

The issue can trigger out-of-memory errors through excessive memory allocation.


4) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-24737)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary JavaScript.

The vulnerability exists due to improper encoding or escaping of output in the AcroForm module when processing unsanitized input passed to affected AcroForm methods or properties. A remote attacker can supply crafted input to inject arbitrary PDF objects and execute arbitrary JavaScript.

User interaction is required to open the crafted PDF document.


Remediation

Install update from vendor's website.

References