SB2026013020 - Multiple vulnerabilities in IBM Maximo Application Suite - Location Service for Esri Component

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026013020

SB2026013020 - Multiple vulnerabilities in IBM Maximo Application Suite - Location Service for Esri Component

Published: January 30, 2026

Security Bulletin ID SB2026013020
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition. 


2) Resource exhaustion (CVE-ID: CVE-2025-66471)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Improper Handling of Windows Device Names (CVE-ID: CVE-2025-66221)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the "safe_join" function allows path segments with Windows device names. A remote attacker can cause reading of the file to hang indefinitely.


Remediation

Install update from vendor's website.

References