SB2026071341 - Multiple vulnerabilities in IBM Transformation Advisor



SB2026071341 - Multiple vulnerabilities in IBM Transformation Advisor

Published: July 13, 2026

Security Bulletin ID SB2026071341
CSH Severity
High
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 38% Low 54%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 vulnerabilities.


1) Improper privilege management (CVE-ID: CVE-2026-3621)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability occurs when an application is deployed without authentication and authorization configured. A remote user can escalate privileges.


2) Improper input validation (CVE-ID: CVE-2026-34268)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


3) Input validation error (CVE-ID: CVE-2026-40181)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to redirect users to an external domain.

The vulnerability exists due to improper input validation in the redirect function when processing URLs with a path starting with // that is reinterpreted as a protocol-relative URL. A remote attacker can supply a crafted URL to redirect users to an external domain.

This does not affect applications using declarative mode.


4) Use of uninitialized resource (CVE-ID: CVE-2026-45736)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to use of uninitialized resource in websocket.close() when processing a TypedArray passed as the reason argument. A remote privileged user can pass a crafted TypedArray as the close reason to disclose sensitive information.

The issue is only exploitable through misuse that is unlikely in practice.


5) Out-of-bounds write (CVE-ID: CVE-2026-41907)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to accepting external output buffers, but not rejecting out-of-range writes (small buf or large offset). A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.


6) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-41988)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a local user to modify data on the system.

The vulnerability exists due to uuid can make unexpected writes when external output buffers are used. A local user can gain unauthorized access to modify data on the system.


7) NULL pointer dereference (CVE-ID: CVE-2026-8723)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to null pointer dereference in qs.stringify when processing arrays with comma format and encodeValuesOnly enabled. A remote attacker can supply input containing null or undefined array elements to cause a denial of service.

In typical Node.js HTTP frameworks, the synchronous exception usually causes the affected request to return an error rather than terminating the worker process. The vulnerable input is reachable from JSON request bodies or from application code constructing arrays from user input.


8) Security features bypass (CVE-ID: CVE-2026-5516)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote privileged attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote privileged attacker can gain unauthorized access to sensitive information on the system.


9) Improper input validation (CVE-ID: CVE-2026-22007)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


10) Improper input validation (CVE-ID: CVE-2026-22016)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


11) Improper input validation (CVE-ID: CVE-2026-22021)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


12) Improper input validation (CVE-ID: CVE-2026-22013)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


13) Improper input validation (CVE-ID: CVE-2026-22018)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


Remediation

Install update from vendor's website.