SB2026060809 - Multiple vulnerabilities in IBM Decision Optimization for Cloud Pak for Data
Published: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2026-2950)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify object prototype attributes.
The vulnerability exists due to improper control of object prototype modification in _.unset and _.omit when processing array-wrapped path segments. A remote attacker can pass crafted path segments to modify object prototype attributes.
The bypass affects checks that only guard against string key members. The issue permits deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype, but does not allow overwriting their original behavior.
2) Prototype pollution (CVE-ID: CVE-2025-13465)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to alter application's behavior.
The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.
3) Code Injection (CVE-ID: CVE-2026-4800)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in _.template when processing untrusted options.imports key names. A remote attacker can supply crafted imports key names to execute arbitrary code.
Code execution occurs at template compilation time. If Object.prototype has been polluted by another vector, inherited polluted keys can also be copied into the imports object and passed to Function().
4) Command Injection (CVE-ID: CVE-2021-23337)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.
5) XML injection (CVE-ID: CVE-2026-34601)
CWE-ID: CWE-91 - XML Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject XML markup into serialized output.
The vulnerability exists due to improper neutralization of special elements in XMLSerializer CDATA serialization when serializing attacker-controlled CDATA content containing the CDATA terminator. A remote attacker can supply a crafted string that includes ]]> to inject XML markup into serialized output.
Applications are affected when they embed untrusted input inside CDATA sections in generated XML documents, and mutation methods such as appendData(), replaceData(), direct .data assignment, or .textContent assignment can also introduce the unsafe content.
6) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33871)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling in the "DefaultHttp2FrameReader" function within HTTP/2 server. A remote attacker can send a flood of CONTINUATION frames and cause a denial of service condition on the target system.
7) Inefficient regular expression complexity (CVE-ID: CVE-2026-4867)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-33870)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests within chunked transfer encoding extension values. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Remediation
Install update from vendor's website.