SB2026012038 - Multiple vulnerabilities in IBM Business Automation Manager Open Editions
Published: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 24 secuirty vulnerabilities.
1) XML External Entity injection (CVE-ID: CVE-2025-64518)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
Note, the vulnerability exists due to an incomplete fix for #VU119088 (CVE-2024-38374).
2) Input validation error (CVE-ID: CVE-2025-11226)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when parsing configuration file. A remote attacker can trick the victim into using a specially crafted configuration file and execute arbitrary code on the system.
Successful exploitation of the vulnerability requires presence of Janino library and Spring Framework on the user's class path.
3) Improper input validation (CVE-ID: CVE-2025-53057)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
4) Exposed dangerous method or function (CVE-ID: CVE-2025-12735)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to the application uses the unsafe evaluate() method on untrusted input. A remote attacker can pass specially crafted data to the application and execute arbitrary JavaScript code.
5) Information disclosure (CVE-ID: CVE-2025-4673)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to sensitive Proxy-Authorization and Proxy-Authenticate headers are not cleared on cross-origin redirect in net/http. A remote attacker can gain access to credentials passed via these headers.
6) Improper input validation (CVE-ID: CVE-2025-53066)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
7) Stored cross-site scripting (CVE-ID: CVE-2025-11966)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in directory listings within file names. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Files or Directories Accessible to External Parties (CVE-ID: CVE-2025-11965)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the files or directories accessible to external parties in the hidden file protection feature of "StaticHandler" when "setIncludeHidden(false)" is configured. A remote attacker can gain access to sensitive information on the system.
9) Improper Output Neutralization for Logs (CVE-ID: CVE-2025-55754)
The vulnerability allows a remote attacker to execute arbitrary OS commands.
The vulnerability exists due to improper input validation of ANSI escape sequences in log messages. A remote attacker can use a crafted URL to inject ANSI escape sequences to manipulate the console and the clip-boardand potentially execute arbitrary code.
The vulnerability affects Windows installations only.
10) Prototype pollution (CVE-ID: CVE-2025-13204)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
11) OS Command Injection (CVE-ID: CVE-2025-64756)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) XML External Entity injection (CVE-ID: CVE-2024-38374)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
13) Out-of-bounds read (CVE-ID: CVE-2025-12183)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service attack.
The vulnerability exists due to a boundary condition. A remote attacker can pass specially crafted compressed input to the application, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.
14) Prototype pollution (CVE-ID: CVE-2025-64718)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution attacks.
15) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
16) Resource exhaustion (CVE-ID: CVE-2025-58185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.
17) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)
The vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack.
18) Resource exhaustion (CVE-ID: CVE-2025-61723)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
19) Resource exhaustion (CVE-ID: CVE-2025-61724)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/textproto due to the Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.
20) Protection Mechanism Failure (CVE-ID: CVE-2025-41248)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism does not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
21) Protection Mechanism Failure (CVE-ID: CVE-2025-41249)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
22) Input validation error (CVE-ID: CVE-2025-59250)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input in JDBC Driver for SQL Server. A remote attacker can trick a victim into connecting to a malicious server and perform spoofing attack.
23) Resource exhaustion (CVE-ID: CVE-2025-55163)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
24) Improper input validation (CVE-ID: CVE-2025-61748)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
Remediation
Install update from vendor's website.