SB2026071420 - Multiple vulnerabilities in IBM Fusion, IBM Fusion HCI and IBM Fusion Data Cataloging
Published: July 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Code Injection (CVE-ID: CVE-2026-21884)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within API in Framework Mode when using the getKey/storageKey props during server-side rendering. A remote attacker can pass specially crafted request and execute arbitrary JavaScript code during SSR if untrusted content is used to generate the keys.
Successful exploitation of this vulnerability requires that server-side rendering in Framework Mode is enabled.
2) Cross-site scripting (CVE-ID: CVE-2026-22029)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site request forgery (CVE-ID: CVE-2026-22030)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to origin validation error in action and server action request processing when handling document POST requests to UI routes. A remote attacker can cause the victim's browser to send a crafted cross-site request to perform cross-site request forgery attacks.
The issue affects applications using server-side route action handlers in framework mode or React Server Actions in unstable RSC modes. Declarative mode and data mode are not affected.
4) Input validation error (CVE-ID: CVE-2025-68470)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to redirect the application to an external URL.
The vulnerability exists due to improper input validation in navigation path handling when processing attacker-supplied paths passed to navigate(), Link, or redirect(). A remote user can supply a crafted path to redirect the application to an external URL.
This issue only occurs when untrusted content is passed into navigation paths in application code.
Remediation
Install update from vendor's website.