SB2026060121 - Multiple vulnerabilities in IBM InfoSphere Optim Archive Viewer

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026060121

SB2026060121 - Multiple vulnerabilities in IBM InfoSphere Optim Archive Viewer

Published: June 1, 2026

Security Bulletin ID SB2026060121
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 67% Medium 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-25535)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the addImage and html methods when processing unsanitized GIF image data or URLs. A remote attacker can provide a crafted GIF file with large width or height header values to cause a denial of service.

The issue can trigger out-of-memory errors through excessive memory allocation.


2) Code Injection (CVE-ID: CVE-2026-25755)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to inject arbitrary PDF objects into the generated document.

The vulnerability exists due to improper control of code generation in the addJS method when processing user-supplied JavaScript input. A remote attacker can supply a crafted addJS argument to inject arbitrary PDF objects into the generated document.

User interaction is required to open the generated PDF, and injected additional actions may execute when the document is opened or receives focus.


3) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-25940)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary JavaScript.

The vulnerability exists due to improper encoding or escaping of output in the AcroForm module when processing unsanitized input for the AcroformChildClass.appearanceState property. A remote attacker can supply a specially crafted property value to execute arbitrary JavaScript.

User interaction is required when the victim hovers over the radio option in the generated PDF.


Remediation

Install update from vendor's website.

References