SB2026062913 - Multiple vulnerabilities in IBM InfoSphere Information Server
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2026-29063)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.
The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.
Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().
2) Use of hard-coded cryptographic key (CVE-ID: CVE-2025-14923)
CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings. A local user can gain unauthorized access to sensitive information on the system.
3) Improper privilege management (CVE-ID: CVE-2026-3621)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability occurs when an application is deployed without authentication and authorization configured. A remote user can escalate privileges.
Remediation
Install update from vendor's website.