SB2026021217 - Multiple vulnerabilities in IBM Watson Discovery Cartridge 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026021217

SB2026021217 - Multiple vulnerabilities in IBM Watson Discovery Cartridge

Published: February 12, 2026

Security Bulletin ID SB2026021217
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2025-12060)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in keras.utils.get_file API when used with the extract=True option for tar archives. A remote user can supply a malicious .tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder.


2) Path traversal (CVE-ID: CVE-2025-4517)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error in the tarfile module when extracting files from an archive with filter="data". A remote attacker can pass specially crafted archive to the application and write files to arbitrary locations on the system outside the extraction directory.


Remediation

Install update from vendor's website.

References