SB2026012235 - Multiple vulnerabilities in IBM Process Mining
Published: January 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2025-53066)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
2) Prototype pollution (CVE-ID: CVE-2025-64718)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution attacks.
3) Infinite loop (CVE-ID: CVE-2025-62727)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can send a specially crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic and cause denial of service conditions.
4) Incorrect default permissions (CVE-ID: CVE-2020-8908)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.
5) Uncontrolled memory allocation (CVE-ID: CVE-2018-10237)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to unbounded memory allocation. A remote attacker can cause the service to crash and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
6) Improper input validation (CVE-ID: CVE-2025-53057)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
7) Improper authorization (CVE-ID: CVE-2025-41232)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to an error in Spring Security Aspects, that may not correctly locate method security annotations on private methods. A remote non-authenticated attacker can bypass authorization checks and gain unauthorized access to the application.
The vulnerability affects system that:
- use
@EnableMethodSecurity(mode=ASPECTJ)andspring-security-aspects, and - have Spring Security method annotations on a private method
8) Input validation error (CVE-ID: CVE-2025-11226)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when parsing configuration file. A remote attacker can trick the victim into using a specially crafted configuration file and execute arbitrary code on the system.
Successful exploitation of the vulnerability requires presence of Janino library and Spring Framework on the user's class path.
9) Path traversal (CVE-ID: CVE-2025-41242)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Note, the vulnerability affects installations when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
- the application is deployed as a WAR or with an embedded Servlet container
- the Servlet container does not reject suspicious sequences
- the application serves static resources with Spring resource handling
10) Cross-site request forgery (CVE-ID: CVE-2025-41254)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in STOMP over WebSocket applications. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
11) Protection Mechanism Failure (CVE-ID: CVE-2025-41249)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
12) Protection Mechanism Failure (CVE-ID: CVE-2025-41248)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism does not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
Remediation
Install update from vendor's website.