SB2026071420 - Multiple vulnerabilities in IBM Fusion, IBM Fusion HCI and IBM Fusion Data Cataloging



SB2026071420 - Multiple vulnerabilities in IBM Fusion, IBM Fusion HCI and IBM Fusion Data Cataloging

Published: July 14, 2026

Security Bulletin ID SB2026071420
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Code Injection (CVE-ID: CVE-2026-21884)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within API in Framework Mode when using the getKey/storageKey props during server-side rendering. A remote attacker can pass specially crafted request and execute arbitrary JavaScript code during SSR if untrusted content is used to generate the keys.

Successful exploitation of this vulnerability requires that server-side rendering in Framework Mode is enabled.


2) Cross-site scripting (CVE-ID: CVE-2026-22029)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Cross-site request forgery (CVE-ID: CVE-2026-22030)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to origin validation error in action and server action request processing when handling document POST requests to UI routes. A remote attacker can cause the victim's browser to send a crafted cross-site request to perform cross-site request forgery attacks.

The issue affects applications using server-side route action handlers in framework mode or React Server Actions in unstable RSC modes. Declarative mode and data mode are not affected.


4) Input validation error (CVE-ID: CVE-2025-68470)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect the application to an external URL.

The vulnerability exists due to improper input validation in navigation path handling when processing attacker-supplied paths passed to navigate(), Link, or redirect(). A remote user can supply a crafted path to redirect the application to an external URL.

This issue only occurs when untrusted content is passed into navigation paths in application code.


Remediation

Install update from vendor's website.