Common Weakness Enumeration

CWE-1284

Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CVE-2025-2826 (GCVE-0-2025-2826)

Vulnerability from cvelistv5 – Published: 2025-05-27 22:22 – Updated: 2025-05-28 13:34
VLAI
Title
n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.
Summary
n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are: * Packets which should be permitted may be dropped and, * Packets which should be dropped may be permitted.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
Impacted products
Vendor Product Version
Arista Networks EOS Affected: 4.33.2F (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2826",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T13:33:59.901353Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T13:34:08.151Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "EOS"
          ],
          "product": "EOS",
          "vendor": "Arista Networks",
          "versions": [
            {
              "status": "affected",
              "version": "4.33.2F",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt; show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 27\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: control-plane(default VRF)\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Active on \u0026nbsp; \u0026nbsp; Ingress: control-plane(default VRF)\n \n\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eIPV4 ACL ipv4ACL\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 2\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: Et18/1\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActive on \u0026nbsp; \u0026nbsp; Ingress:\u003c/span\u003e Et18/1\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eor\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show mac access-lists summary\n\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eMAC ACL macAcl\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 2\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: Et18/1\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActive on \u0026nbsp; \u0026nbsp; Ingress:\u003c/span\u003e Et18/1\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eor\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 27\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: control-plane(default VRF)\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Active on \u0026nbsp; \u0026nbsp; Ingress: control-plane(default VRF)\n \n\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eStandard IPV6 ACL ipv6StandardACL\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 2\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: Et21/1\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActive on \u0026nbsp; \u0026nbsp; Ingress:\u003c/span\u003e Et21/1\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces\u02dc listed, similar to the following:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt; show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 27\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: control-plane(default VRF)\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Active on \u0026nbsp; \u0026nbsp; Ingress: control-plane(default VRF)\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eor\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show mac access-lists summary\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eor\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 27\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Configured on Ingress: control-plane(default VRF)\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Active on \u0026nbsp; \u0026nbsp; Ingress: control-plane(default VRF)\n\u003c/pre\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2025-2826, the following condition must be met: IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL must be configured and active on more than one Ethernet interfaces or one or more LAG interfaces. The output of CLI show commands will look similar to the following:\n\nswitch\u003e show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n \nIPV4 ACL ipv4ACL\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et18/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et18/1\n\n\n\u00a0\n\nor\n\nswitch\u003eshow mac access-lists summary\nMAC ACL macAcl\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et18/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et18/1\n\n\n\u00a0\n\nor\n\nswitch\u003eshow ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n \nStandard IPV6 ACL ipv6StandardACL\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 2\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: Et21/1\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: Et21/1\n\n\n\u00a0\n\nIf IPv4 Ingress ACL or MAC Ingress ACL or IPv6 standard Ingress ACL are not configured or are not active on any Ethernet interface or LAG interfaces there is no exposure to this issue and the CLI show command output have no active interfaces\u02dc listed, similar to the following:\n\nswitch\u003e show ip access-lists summary\nPhone ACL bypass: disabled\nIPV4 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)\n\n\n\u00a0\n\nor\n\nswitch\u003eshow mac access-lists summary\n\n\n\u00a0\n\nor\n\nswitch\u003eshow ipv6 access-lists summary\nPhone ACL bypass: disabled\nIPV6 ACL default-control-plane-acl [readonly]\n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 27\n\u00a0 \u00a0 \u00a0 \u00a0 Configured on Ingress: control-plane(default VRF)\n\u00a0 \u00a0 \u00a0 \u00a0 Active on \u00a0 \u00a0 Ingress: control-plane(default VRF)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003en affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:\u003c/p\u003e\u003col\u003e\u003cli\u003ePackets which should be permitted may be dropped and,\u003c/li\u003e\u003cli\u003ePackets which should be dropped may be permitted.\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e"
            }
          ],
          "value": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets. This can cause incoming packets to incorrectly be allowed or denied. The two symptoms of this issue on the affected release and platform are:\n\n  *  Packets which should be permitted may be dropped and,\n  *  Packets which should be dropped may be permitted."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-27T22:22:51.717Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21414-security-advisory-0120"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2025-2826 has been fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.33.2.1F, 4.33.3F and later releases in the 4.33.x train\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-2826 has been fixed in the following releases:\n\n  *  4.33.2.1F, 4.33.3F and later releases in the 4.33.x train"
        }
      ],
      "source": {
        "advisory": "SA120",
        "defect": [
          "BUG 795398"
        ],
        "discovery": "INTERNAL"
      },
      "title": "n affected platforms running Arista EOS, ACL policies may not be enforced. IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL enabled on one or more ethernet or LAG interfaces may result in ACL policies not being enforced for ingress packets.",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "No workaround is available. Ingress ACLs may be applied as egress, if resources permit and the policy is applicable."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2025-2826",
    "datePublished": "2025-05-27T22:22:51.717Z",
    "dateReserved": "2025-03-26T16:02:22.894Z",
    "dateUpdated": "2025-05-28T13:34:08.151Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-29784 (GCVE-0-2025-29784)

Vulnerability from cvelistv5 – Published: 2025-04-18 15:50 – Updated: 2025-04-18 16:05
VLAI
Title
NamelessMC Has Lack of Length Validation for s Parameter in GET Requests
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) attacks. This issue has been patched in version 2.2.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-130 - Improper Handling of Length Parameter Inconsistency
  • CWE-20 - Improper Input Validation
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
Impacted products
Vendor Product Version
NamelessMC Nameless Affected: < 2.2.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29784",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-18T16:05:26.830187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-18T16:05:30.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nameless",
          "vendor": "NamelessMC",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) attacks. This issue has been patched in version 2.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-130",
              "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284: Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-18T15:50:17.656Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm"
        },
        {
          "name": "https://github.com/NamelessMC/Nameless/commit/f5341e56930a98978171e0a871d60f19ab30ebdd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NamelessMC/Nameless/commit/f5341e56930a98978171e0a871d60f19ab30ebdd"
        },
        {
          "name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0"
        }
      ],
      "source": {
        "advisory": "GHSA-4hrq-rf96-c2jm",
        "discovery": "UNKNOWN"
      },
      "title": "NamelessMC Has Lack of Length Validation for s Parameter in GET Requests"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-29784",
    "datePublished": "2025-04-18T15:50:17.656Z",
    "dateReserved": "2025-03-11T14:23:00.475Z",
    "dateUpdated": "2025-04-18T16:05:30.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32415 (GCVE-0-2025-32415)

Vulnerability from cvelistv5 – Published: 2025-04-17 00:00 – Updated: 2025-11-03 19:53
VLAI
Summary
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
Impacted products
Vendor Product Version
xmlsoft libxml2 Affected: 0 , < 2.13.8 (semver)
Affected: 2.14.0 , < 2.14.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32415",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T18:38:26.252207Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T18:38:30.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:53:26.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxml2",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "2.13.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.14.2",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.13.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.14.2",
                  "versionStartIncluding": "2.14.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-17T17:21:08.467Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-32415",
    "datePublished": "2025-04-17T00:00:00.000Z",
    "dateReserved": "2025-04-08T00:00:00.000Z",
    "dateUpdated": "2025-11-03T19:53:26.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-32689 (GCVE-0-2025-32689)

Vulnerability from cvelistv5 – Published: 2025-09-09 16:25 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Download Manager and Payment Form plugin <= 2.8.2 - Price Manipulation vulnerability
Summary
Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.This issue affects WP SmartPay: from n/a through <= 2.8.2.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
Impacted products
Vendor Product Version
Convers Lab WP SmartPay Affected: 0 , ≤ 2.8.2 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:39
Credits
Abdi Pranata | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32689",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-09T17:49:31.579389Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-09T18:41:06.167Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "smartpay",
          "product": "WP SmartPay",
          "vendor": "Convers Lab",
          "versions": [
            {
              "lessThanOrEqual": "2.8.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abdi Pranata | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:39:01.128Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.\u003cp\u003eThis issue affects WP SmartPay: from n/a through \u003c= 2.8.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.This issue affects WP SmartPay: from n/a through \u003c= 2.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T09:51:54.931Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/smartpay/vulnerability/wordpress-download-manager-and-payment-form-2-7-12-other-vulnerability-type-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Download Manager and Payment Form plugin \u003c= 2.8.2 - Price Manipulation vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-32689",
    "datePublished": "2025-09-09T16:25:31.773Z",
    "dateReserved": "2025-04-09T11:21:30.217Z",
    "dateUpdated": "2026-04-29T09:51:54.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-33211 (GCVE-0-2025-33211)

Vulnerability from cvelistv5 – Published: 2025-12-03 18:16 – Updated: 2025-12-03 19:22
VLAI
Summary
NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of this vulnerability may lead to denial of service.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
Impacted products
Vendor Product Version
NVIDIA Triton Inference Server Affected: All versions prior to r25.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-33211",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-03T19:22:20.018542Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-03T19:22:29.462Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Triton Inference Server",
          "vendor": "NVIDIA",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to r25.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": true,
              "type": "text/html",
              "value": "NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of this vulnerability may lead to denial of service."
            }
          ],
          "value": "NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of this vulnerability may lead to denial of service."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-03T18:16:14.227Z",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33211"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-33211"
        },
        {
          "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5734"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "NVIDIA PSIRT"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2025-33211",
    "datePublished": "2025-12-03T18:16:14.227Z",
    "dateReserved": "2025-04-15T18:51:06.123Z",
    "dateUpdated": "2025-12-03T19:22:29.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-3511 (GCVE-0-2025-3511)

Vulnerability from cvelistv5 – Published: 2025-04-25 05:14 – Updated: 2026-04-24 07:13
VLAI
Summary
Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY, MELSEC iQ-R Series CC-Link IE TSN Master/Local Module, MELSEC iQ-R Series Ethernet Interface Module, CC-Link IE TSN Master/Local Station Communication LSI CP610, MELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module, MELSEC iQ-F Series FX5 Ethernet Module, and MELSEC iQ-F Series FX5-ENET/IP Ethernet Module allows a remote unauthenticated attacker to cause a Denial of Service condition in the products by sending specially crafted UDP packets.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
Impacted products
Vendor Product Version
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-32D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-32T Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-32TE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-32DT Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-32DTE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-32D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-32T Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-32TE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-32DT Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-32DTE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GNCF1-32D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GNCF1-32T Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GNCE3-32D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GNCE3-32DT Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN12A4-16D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN12A4-16DE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN12A2-16T Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN12A2-16TE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN12A42-16DT Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN12A42-16DTE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-16D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-16T Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2S1-16TE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-16D Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-16T Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module NZ2GN2B1-16TE Affected: 09 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Analog-Digital Converter module NZ2GN2S-60AD4 Affected: 07 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Analog-Digital Converter module NZ2GN2B-60AD4 Affected: 07 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Digital-Analog Converter module NZ2GN2S-60DA4 Affected: 07 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Digital-Analog Converter module NZ2GN2B-60DA4 Affected: 07 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN FPGA module NZ2GN2S-D41P01 Affected: 01
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN FPGA module NZ2GN2S-D41D01 Affected: 01
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN FPGA module NZ2GN2S-D41PD02 Affected: 01
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-300 Affected: 1.08J and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-60 Affected: 1.08J and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-T2 Affected: 26 and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-EIP Affected: 10 and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-SX Affected: 05 and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series Ethernet Interface Module RJ71EN71 Affected: 85 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Master/Local Station Communication LSI CP610 NZ2GACP610-60 Affected: 05 and prior
Create a notification for this product.
Mitsubishi Electric Corporation CC-Link IE TSN Master/Local Station Communication LSI CP610 NZ2KT-NPETNG51 Affected: 05 and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module FX5-CCLGN-MS Affected: 1.020 and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5 Ethernet Module FX5-ENET Affected: 1.200 and prior
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP Affected: 1.106 and prior
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3511",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-23T17:46:29.102151Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-23T17:46:36.083Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-32D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-32T",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-32TE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-32DT",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-32DTE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-32D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-32T",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-32TE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-32DT",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-32DTE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GNCF1-32D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GNCF1-32T",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GNCE3-32D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GNCE3-32DT",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN12A4-16D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN12A4-16DE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN12A2-16T",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN12A2-16TE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN12A42-16DT",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN12A42-16DTE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-16D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-16T",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2S1-16TE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-16D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-16T",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote I/O module NZ2GN2B1-16TE",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "09 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Analog-Digital Converter module NZ2GN2S-60AD4",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "07 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Analog-Digital Converter module NZ2GN2B-60AD4",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "07 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Digital-Analog Converter module NZ2GN2S-60DA4",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "07 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Digital-Analog Converter module NZ2GN2B-60DA4",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "07 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN FPGA module NZ2GN2S-D41P01",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "01"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN FPGA module NZ2GN2S-D41D01",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "01"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN FPGA module NZ2GN2S-D41PD02",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "01"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-300",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "1.08J and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-60",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "1.08J and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-T2",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "26 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-EIP",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "10 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-SX",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "05 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series Ethernet Interface Module RJ71EN71",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "85 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Master/Local Station Communication LSI CP610 NZ2GACP610-60",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "05 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CC-Link IE TSN Master/Local Station Communication LSI CP610 NZ2KT-NPETNG51",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "05 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module FX5-CCLGN-MS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "1.020 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5 Ethernet Module FX5-ENET",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "1.200 and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "1.106 and prior"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY, MELSEC iQ-R Series CC-Link IE TSN Master/Local Module, MELSEC iQ-R Series Ethernet Interface Module, CC-Link IE TSN Master/Local Station Communication LSI CP610, MELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module, MELSEC iQ-F Series FX5 Ethernet Module, and MELSEC iQ-F Series FX5-ENET/IP Ethernet Module allows a remote unauthenticated attacker to cause a Denial of Service condition in the products by sending specially crafted UDP packets."
            }
          ],
          "value": "Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY, MELSEC iQ-R Series CC-Link IE TSN Master/Local Module, MELSEC iQ-R Series Ethernet Interface Module, CC-Link IE TSN Master/Local Station Communication LSI CP610, MELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module, MELSEC iQ-F Series FX5 Ethernet Module, and MELSEC iQ-F Series FX5-ENET/IP Ethernet Module allows a remote unauthenticated attacker to cause a Denial of Service condition in the products by sending specially crafted UDP packets."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial-of-Service"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T07:13:32.562Z",
        "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
        "shortName": "Mitsubishi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-001_en.pdf"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://jvn.jp/vu/JVNVU96620683/"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
    "assignerShortName": "Mitsubishi",
    "cveId": "CVE-2025-3511",
    "datePublished": "2025-04-25T05:14:43.758Z",
    "dateReserved": "2025-04-11T04:10:12.030Z",
    "dateUpdated": "2026-04-24T07:13:32.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-36009 (GCVE-0-2025-36009)

Vulnerability from cvelistv5 – Published: 2026-01-30 21:28 – Updated: 2026-02-04 17:28
VLAI
Title
IBM Db2 Denial of Service
Summary
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to excessive use of a global variable.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7257695 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Db2 for Linux, UNIX and Windows Affected: 11.5.0 , ≤ 11.5.9 (semver)
Affected: 12.1.0 , ≤ 12.1.3 (semver)
    cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:linux:*:*
    cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:unix:*:*
    cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:aix:*:*
    cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:windows:*:*
    cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:zos:*:*
    cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:linux:*:*
    cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:unix:*:*
    cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:aix:*:*
    cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:windows:*:*
    cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:zos:*:*
    cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:linux:*:*
    cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:unix:*:*
    cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:aix:*:*
    cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:windows:*:*
    cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:zos:*:*
    cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:linux:*:*
    cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:unix:*:*
    cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:aix:*:*
    cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:windows:*:*
    cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:zos:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36009",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T16:25:20.586208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T16:30:17.789Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:linux:*:*",
            "cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:unix:*:*",
            "cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:aix:*:*",
            "cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:windows:*:*",
            "cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:zos:*:*",
            "cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:linux:*:*",
            "cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:unix:*:*",
            "cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:aix:*:*",
            "cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:windows:*:*",
            "cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:zos:*:*",
            "cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:linux:*:*",
            "cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:unix:*:*",
            "cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:aix:*:*",
            "cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:windows:*:*",
            "cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:zos:*:*",
            "cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:linux:*:*",
            "cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:unix:*:*",
            "cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:aix:*:*",
            "cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:windows:*:*",
            "cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:zos:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Db2 for Linux, UNIX and Windows",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "11.5.9",
              "status": "affected",
              "version": "11.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.1.3",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to excessive use of a global variable.\u003c/p\u003e"
            }
          ],
          "value": "IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to excessive use of a global variable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-04T17:28:55.732Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7257695"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCustomers running any vulnerable modpack level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, V12.1.2 and V12.1.3. They can be applied to any affected level of the appropriate release to remediate this vulnerability.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eRelease\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eFixed in mod pack\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eAPAR\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDownload URL\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eV11.5\u003c/td\u003e\u003ctd\u003eTBD\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/s/defect/aCIgJ0000006cdi/dt453924\"\u003eDT453924\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSpecial Build #66394 or later for V11.5.9 available at this link:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7087189\"\u003ehttps://www.ibm.com/support/pages/node/7087189\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eV12.1\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eTBD\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/s/defect/aCIgJ0000006cdi/dt453924\"\u003eDT453924\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSpecial Build #72296 or later for V12.1.2 available at this link:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads\"\u003ehttps://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eSpecial Build #71609 or later for V12.1.3 available at this link:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/db2-v1213-published-cumulative-special-build-downloads\"\u003ehttps://www.ibm.com/support/pages/db2-v1213-published-cumulative-special-build-downloads\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "Customers running any vulnerable modpack level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, V12.1.2 and V12.1.3. They can be applied to any affected level of the appropriate release to remediate this vulnerability.\n\n\u00a0\n\nReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 \n\nV12.1\n\n\u00a0\n\nTBD\n\n\u00a0\n\n https://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads \n\n\nSpecial Build #71609 or later for V12.1.3 available at this link:\n https://www.ibm.com/support/pages/db2-v1213-published-cumulative-special-build-downloads"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Db2 Denial of Service",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36009",
    "datePublished": "2026-01-30T21:28:12.081Z",
    "dateReserved": "2025-04-15T21:16:05.533Z",
    "dateUpdated": "2026-02-04T17:28:55.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-36015 (GCVE-0-2025-36015)

Vulnerability from cvelistv5 – Published: 2025-12-08 21:22 – Updated: 2025-12-08 21:33
VLAI
Title
IBM Controller Denial of Service
Summary
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7253273 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Controller Affected: 11.1.0 , ≤ 11.1.1 (semver)
    cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*
Create a notification for this product.
IBM Cognos Controller Affected: 11.0.0 , ≤ 11.0.1 FP6 (semver)
    cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cognos_controller:11.0.1:FP6:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36015",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-08T21:33:21.930669Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-08T21:33:32.059Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"
          ],
          "product": "Controller",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "11.1.1",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cognos_controller:11.0.1:FP6:*:*:*:*:*:*"
          ],
          "product": "Cognos Controller",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "11.0.1 FP6",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.\u003c/p\u003e"
            }
          ],
          "value": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T21:22:45.698Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7253273"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes It is strongly recommended that you apply the most recent security updates: Affected Product(s) Version(s) Fix IBM Controller 11.1.0 - 11.1.1 Download IBM Controller 11.1.2 from Passport Advantage IBM Cognos Controller 11.0.0 - 11.0.1 FP6 Download IBM Cognos Controller 11.0.1 FP7 from Fix Central IBM Controller 11.1.2 and IBM Cognos Controller 11.0.1 FP7 are available for Cloud deployments.\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes It is strongly recommended that you apply the most recent security updates: Affected Product(s) Version(s) Fix IBM Controller 11.1.0 - 11.1.1 Download IBM Controller 11.1.2 from Passport Advantage IBM Cognos Controller 11.0.0 - 11.0.1 FP6 Download IBM Cognos Controller 11.0.1 FP7 from Fix Central IBM Controller 11.1.2 and IBM Cognos Controller 11.0.1 FP7 are available for Cloud deployments."
        }
      ],
      "title": "IBM Controller Denial of Service",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36015",
    "datePublished": "2025-12-08T21:22:45.698Z",
    "dateReserved": "2025-04-15T21:16:07.862Z",
    "dateUpdated": "2025-12-08T21:33:32.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-36092 (GCVE-0-2025-36092)

Vulnerability from cvelistv5 – Published: 2025-11-03 15:15 – Updated: 2025-11-03 15:35
VLAI
Title
IBM Business Automation Insights improper input validation
Summary
IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7249999 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Cloud Pak For Business Automation Affected: 25.0.0
Affected: 24.0.1
Affected: 24.0.0
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36092",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T15:35:47.451777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T15:35:59.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*"
          ],
          "product": "Cloud Pak For Business Automation",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "25.0.0"
            },
            {
              "status": "affected",
              "version": "24.0.1"
            },
            {
              "status": "affected",
              "version": "24.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length.\u003c/p\u003e"
            }
          ],
          "value": "IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-03T15:15:43.546Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7249999"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now. Product(s) Version(s) number and/or range Remediation/Fix/Instructions IBM Business Automation Insights 25.0.0 Apply security fix 25.0.0-IF002 IBM Business Automation Insights 24.0.1 Apply security fix 24.0.1-IF005 IBM Business Automation Insights 24.0.0 Apply security fix 24.0.0-IF005\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now. Product(s) Version(s) number and/or range Remediation/Fix/Instructions IBM Business Automation Insights 25.0.0 Apply security fix 25.0.0-IF002 IBM Business Automation Insights 24.0.1 Apply security fix 24.0.1-IF005 IBM Business Automation Insights 24.0.0 Apply security fix 24.0.0-IF005"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Business Automation Insights improper input validation",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eWorkarounds and Mitigations None.\u003c/p\u003e"
            }
          ],
          "value": "Workarounds and Mitigations None."
        }
      ],
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36092",
    "datePublished": "2025-11-03T15:15:43.546Z",
    "dateReserved": "2025-04-15T21:16:14.710Z",
    "dateUpdated": "2025-11-03T15:35:59.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-36094 (GCVE-0-2025-36094)

Vulnerability from cvelistv5 – Published: 2026-02-03 22:06 – Updated: 2026-02-04 16:06
VLAI
Title
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.
Summary
IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7259318 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Cloud Pak for Business Automation Affected: 25.0.0 , ≤ 25.0.0 Interim Fix 002 (semver)
Affected: 24.0.1 , ≤ 24.0.1 Interim Fix 005 (semver)
Affected: 24.0.0 , ≤ 24.0.0 Interim Fix 007 (semver)
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_002:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_005:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_007:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36094",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:20:24.549770Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:06:46.499Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_002:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_005:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_007:*:*:*:*:*:*"
          ],
          "product": "Cloud Pak for Business Automation",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "25.0.0 Interim Fix 002",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.0.1 Interim Fix 005",
              "status": "affected",
              "version": "24.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.0.0 Interim Fix 007",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length.\u003c/p\u003e"
            }
          ],
          "value": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T22:06:09.620Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7259318"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eVersion(s)\u003c/td\u003e\u003ctd\u003eRemediation / Fix\u003c/td\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Cloud Pak for Business Automation\u003c/td\u003e\u003ctd\u003eV25.0.0 - V25.0.0-IF002\u003c/td\u003e\u003ctd\u003eApply security fix \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2500-if003\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cloud Pak for Business Automation\u003c/td\u003e\u003ctd\u003eV24.0.1 - V24.0.1-IF005\u003c/td\u003e\u003ctd\u003eApply security fix \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2401-if006\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Cloud Pak for Business Automation\u003c/td\u003e\u003ctd\u003eV24.0.0 - V24.0.0-IF007\u003c/td\u003e\u003ctd\u003eApply security fix \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2400-if008\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u0026nbsp;\u003c/div\u003e"
            }
          ],
          "value": "Affected Product(s)Version(s)Remediation / FixIBM Cloud Pak for Business AutomationV25.0.0 - V25.0.0-IF002Apply security fix  25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2500-if003 IBM Cloud Pak for Business AutomationV24.0.1 - V24.0.1-IF005Apply security fix  24.0.1-IF006 https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2401-if006 IBM Cloud Pak for Business AutomationV24.0.0 - V24.0.0-IF007Apply security fix  24.0.0-IF008 https://www.ibm.com/support/pages/readme-ibm-cloud-pak-business-automation-2400-if008"
        }
      ],
      "title": "Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36094",
    "datePublished": "2026-02-03T22:06:09.620Z",
    "dateReserved": "2025-04-15T21:16:14.711Z",
    "dateUpdated": "2026-02-04T16:06:46.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-5

Phase: Implementation

Strategy: Input Validation

Description:

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page