Search

Find a vulnerability

Search criteria

    18 vulnerabilities found for watsonx.data by ibm

    CVE-2025-36145 (GCVE-0-2025-36145)

    Vulnerability from nvd – Published: 2026-05-26 15:50 – Updated: 2026-05-26 17:42
    VLAI
    Title
    Multiple Vulnerabilities in watsonx.data
    Summary
    IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7272498 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2.0 , ≤ 2.3.1 (semver)
        cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.3.1:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36145",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T17:41:52.481115Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T17:42:05.425Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.3.1:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.1",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-923",
                  "description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T15:50:54.945Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7272498"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.3.x or watsonx.data on CPD 5.3.x. \u0026nbsp;Installation/upgrade instructions can be found here: \u003ca href=\"https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.3.x or watsonx.data on CPD 5.3.x. \u00a0Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing"
            }
          ],
          "title": "Multiple Vulnerabilities in watsonx.data",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36145",
        "datePublished": "2026-05-26T15:50:54.945Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2026-05-26T17:42:05.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36335 (GCVE-0-2025-36335)

    Vulnerability from nvd – Published: 2026-04-30 21:12 – Updated: 2026-05-01 14:23
    VLAI
    Title
    Vulnerabilities found
    Summary
    IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-256 - Plaintext Storage of a Password
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7270923 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data intelligence Affected: 5.2.0, 5.2.1, 5.3.0, 5.3.1 , ≤ 1.8.4 (semver)
        cpe:2.3:a:ibm:watsonxdata_intelligence:5.2.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36335",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T14:23:02.854656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T14:23:11.089Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata_intelligence:5.2.0:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data intelligence",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.4",
                  "status": "affected",
                  "version": "5.2.0, 5.2.1, 5.3.0, 5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-256",
                  "description": "CWE-256 Plaintext Storage of a Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T21:12:54.030Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7270923"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate version to 5.3.1-patch3\u003cbr\u003e\u003ca href=\"https://www.ibm.com/docs/en/software-hub/5.3.x?topic=overview-available-patches-software-hub-version-531\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.3.x?topic=overview-available-patches-software-hub-version-531\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "Update version to 5.3.1-patch3\n https://www.ibm.com/docs/en/software-hub/5.3.x?topic=overview-available-patches-software-hub-version-531"
            }
          ],
          "title": "Vulnerabilities found",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36335",
        "datePublished": "2026-04-30T21:12:54.030Z",
        "dateReserved": "2025-04-15T21:16:52.391Z",
        "dateUpdated": "2026-05-01T14:23:11.089Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36180 (GCVE-0-2025-36180)

    Vulnerability from nvd – Published: 2026-04-30 21:28 – Updated: 2026-05-01 16:37
    VLAI
    Title
    Inadequate Pod Communication Restrictions, affects watsonx.data
    Summary
    IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7270593 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2.0 , ≤ 2.3.0 (semver)
        cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.3.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T16:07:12.084281Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T16:37:49.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.3.0:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.0",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-923",
                  "description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T21:39:21.850Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7270593"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.3.1 or watsonx.data on CPD 5.3.1. \u0026nbsp;Installation/upgrade instructions can be found here: \u003ca href=\"https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.3.1 or watsonx.data on CPD 5.3.1. \u00a0Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing"
            }
          ],
          "title": "Inadequate Pod Communication Restrictions, affects watsonx.data",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36180",
        "datePublished": "2026-04-30T21:28:00.171Z",
        "dateReserved": "2025-04-15T21:16:23.419Z",
        "dateUpdated": "2026-05-01T16:37:49.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36183 (GCVE-0-2025-36183)

    Vulnerability from nvd – Published: 2026-02-17 21:32 – Updated: 2026-02-18 20:36
    VLAI
    Title
    Privileged User File Upload Vulnerability Leading to Limited Server-Side Execution affects watsonx.data
    Summary
    IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7260118 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2 , ≤ 2.2.1 (semver)
        cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.2.1:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36183",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-18T20:36:43.372341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-18T20:36:53.178Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.2.1:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.1",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-17T21:33:36.352Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7260118"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2. \u0026nbsp;Installation/upgrade instructions can be found here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/watsonx/watsonxdata/5.2.x?topic=deployment-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/5.2.x?topic=deployment-installing\u003c/a\u003e .\u003c/p\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2. \u00a0Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/5.2.x?topic=deployment-installing  ."
            }
          ],
          "title": "Privileged User File Upload Vulnerability Leading to Limited Server-Side Execution affects watsonx.data",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36183",
        "datePublished": "2026-02-17T21:32:26.015Z",
        "dateReserved": "2025-04-15T21:16:23.419Z",
        "dateUpdated": "2026-02-18T20:36:53.178Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36140 (GCVE-0-2025-36140)

    Vulnerability from nvd – Published: 2025-12-08 22:11 – Updated: 2025-12-09 16:04
    VLAI
    Title
    IBM watsonx.data Denial of Service
    Summary
    IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7253932 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2 , ≤ 2.2.1 (semver)
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonx.data:2.2.1:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36140",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-09T15:24:10.982827Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-09T16:04:58.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonx.data:2.2.1:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.1",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T22:11:19.778Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7253932"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eRemediation/Fixes The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2 Installation/upgrade instructions can be found here https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing.\u003c/p\u003e"
                }
              ],
              "value": "Remediation/Fixes The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2 Installation/upgrade instructions can be found here https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing."
            }
          ],
          "title": "IBM watsonx.data Denial of Service",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36140",
        "datePublished": "2025-12-08T22:11:02.760Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-12-09T16:04:58.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36144 (GCVE-0-2025-36144)

    Vulnerability from nvd – Published: 2025-09-27 00:05 – Updated: 2025-09-29 14:04
    VLAI
    Title
    IBM watsonx.data information disclosure
    Summary
    IBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7246267 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36144",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-29T14:04:19.766656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-29T14:04:30.872Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user.\u003c/span\u003e"
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-27T00:05:08.668Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7246267"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.1 or watsonx.data on CPD 5.1. Installation/upgrade instructions can be found here \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.1.x?topic=watsonxdata-installing.\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.1.x?topic=watsonxdata-installing.\u003c/a\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.1 or watsonx.data on CPD 5.1. Installation/upgrade instructions can be found here  https://www.ibm.com/docs/en/software-hub/5.1.x?topic=watsonxdata-installing."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data information disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36144",
        "datePublished": "2025-09-27T00:05:08.668Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-09-29T14:04:30.872Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36146 (GCVE-0-2025-36146)

    Vulnerability from nvd – Published: 2025-09-18 15:15 – Updated: 2025-09-19 17:09
    VLAI
    Title
    IBM watsonx.data information disclosure
    Summary
    IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7245384 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36146",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-19T17:00:35.669474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-19T17:09:17.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system."
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-497",
                  "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-18T15:16:49.479Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7245384"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing https://www.ibm.com/docs/en/software-hub/5.2.x ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data information disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36146",
        "datePublished": "2025-09-18T15:15:58.809Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-09-19T17:09:17.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36143 (GCVE-0-2025-36143)

    Vulnerability from nvd – Published: 2025-09-18 15:14 – Updated: 2025-09-19 17:09
    VLAI
    Title
    IBM watsonx.data command execution
    Summary
    IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7245379 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36143",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-19T17:00:44.873074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-19T17:09:23.671Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input."
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-18T15:14:41.611Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7245379"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing https://www.ibm.com/docs/en/software-hub/5.2.x ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data command execution",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36143",
        "datePublished": "2025-09-18T15:14:41.611Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-09-19T17:09:23.671Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36139 (GCVE-0-2025-36139)

    Vulnerability from nvd – Published: 2025-09-18 15:13 – Updated: 2025-09-19 17:09
    VLAI
    Title
    IBM watsonx.data cross-site scripting
    Summary
    IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7245387 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-19T17:00:54.781517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-19T17:09:30.745Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-18T15:13:10.913Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7245387"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing https://www.ibm.com/docs/en/software-hub/5.2.x ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36139",
        "datePublished": "2025-09-18T15:13:10.913Z",
        "dateReserved": "2025-04-15T21:16:19.008Z",
        "dateUpdated": "2025-09-19T17:09:30.745Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36145 (GCVE-0-2025-36145)

    Vulnerability from cvelistv5 – Published: 2026-05-26 15:50 – Updated: 2026-05-26 17:42
    VLAI
    Title
    Multiple Vulnerabilities in watsonx.data
    Summary
    IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7272498 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2.0 , ≤ 2.3.1 (semver)
        cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.3.1:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36145",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T17:41:52.481115Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T17:42:05.425Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.3.1:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.1",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-923",
                  "description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T15:50:54.945Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7272498"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.3.x or watsonx.data on CPD 5.3.x. \u0026nbsp;Installation/upgrade instructions can be found here: \u003ca href=\"https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.3.x or watsonx.data on CPD 5.3.x. \u00a0Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing"
            }
          ],
          "title": "Multiple Vulnerabilities in watsonx.data",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36145",
        "datePublished": "2026-05-26T15:50:54.945Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2026-05-26T17:42:05.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36180 (GCVE-0-2025-36180)

    Vulnerability from cvelistv5 – Published: 2026-04-30 21:28 – Updated: 2026-05-01 16:37
    VLAI
    Title
    Inadequate Pod Communication Restrictions, affects watsonx.data
    Summary
    IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7270593 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2.0 , ≤ 2.3.0 (semver)
        cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.3.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T16:07:12.084281Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T16:37:49.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.3.0:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.0",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-923",
                  "description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T21:39:21.850Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7270593"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.3.1 or watsonx.data on CPD 5.3.1. \u0026nbsp;Installation/upgrade instructions can be found here: \u003ca href=\"https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.3.1 or watsonx.data on CPD 5.3.1. \u00a0Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing"
            }
          ],
          "title": "Inadequate Pod Communication Restrictions, affects watsonx.data",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36180",
        "datePublished": "2026-04-30T21:28:00.171Z",
        "dateReserved": "2025-04-15T21:16:23.419Z",
        "dateUpdated": "2026-05-01T16:37:49.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36335 (GCVE-0-2025-36335)

    Vulnerability from cvelistv5 – Published: 2026-04-30 21:12 – Updated: 2026-05-01 14:23
    VLAI
    Title
    Vulnerabilities found
    Summary
    IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-256 - Plaintext Storage of a Password
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7270923 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data intelligence Affected: 5.2.0, 5.2.1, 5.3.0, 5.3.1 , ≤ 1.8.4 (semver)
        cpe:2.3:a:ibm:watsonxdata_intelligence:5.2.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36335",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T14:23:02.854656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T14:23:11.089Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata_intelligence:5.2.0:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data intelligence",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.4",
                  "status": "affected",
                  "version": "5.2.0, 5.2.1, 5.3.0, 5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-256",
                  "description": "CWE-256 Plaintext Storage of a Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T21:12:54.030Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7270923"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate version to 5.3.1-patch3\u003cbr\u003e\u003ca href=\"https://www.ibm.com/docs/en/software-hub/5.3.x?topic=overview-available-patches-software-hub-version-531\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.3.x?topic=overview-available-patches-software-hub-version-531\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "Update version to 5.3.1-patch3\n https://www.ibm.com/docs/en/software-hub/5.3.x?topic=overview-available-patches-software-hub-version-531"
            }
          ],
          "title": "Vulnerabilities found",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36335",
        "datePublished": "2026-04-30T21:12:54.030Z",
        "dateReserved": "2025-04-15T21:16:52.391Z",
        "dateUpdated": "2026-05-01T14:23:11.089Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36183 (GCVE-0-2025-36183)

    Vulnerability from cvelistv5 – Published: 2026-02-17 21:32 – Updated: 2026-02-18 20:36
    VLAI
    Title
    Privileged User File Upload Vulnerability Leading to Limited Server-Side Execution affects watsonx.data
    Summary
    IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7260118 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2 , ≤ 2.2.1 (semver)
        cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonxdata:2.2.1:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36183",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-18T20:36:43.372341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-18T20:36:53.178Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonxdata:2.2.1:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.1",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-17T21:33:36.352Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7260118"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2. \u0026nbsp;Installation/upgrade instructions can be found here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/watsonx/watsonxdata/5.2.x?topic=deployment-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/5.2.x?topic=deployment-installing\u003c/a\u003e .\u003c/p\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2. \u00a0Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/5.2.x?topic=deployment-installing  ."
            }
          ],
          "title": "Privileged User File Upload Vulnerability Leading to Limited Server-Side Execution affects watsonx.data",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36183",
        "datePublished": "2026-02-17T21:32:26.015Z",
        "dateReserved": "2025-04-15T21:16:23.419Z",
        "dateUpdated": "2026-02-18T20:36:53.178Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36140 (GCVE-0-2025-36140)

    Vulnerability from cvelistv5 – Published: 2025-12-08 22:11 – Updated: 2025-12-09 16:04
    VLAI
    Title
    IBM watsonx.data Denial of Service
    Summary
    IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7253932 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2 , ≤ 2.2.1 (semver)
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:watsonx.data:2.2.1:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36140",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-09T15:24:10.982827Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-09T16:04:58.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:watsonx.data:2.2.1:*:*:*:*:*:*:*"
              ],
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.1",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.\u003c/p\u003e"
                }
              ],
              "value": "IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T22:11:19.778Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7253932"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eRemediation/Fixes The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2 Installation/upgrade instructions can be found here https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing.\u003c/p\u003e"
                }
              ],
              "value": "Remediation/Fixes The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.2 or watsonx.data on CPD 5.2.2 Installation/upgrade instructions can be found here https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing."
            }
          ],
          "title": "IBM watsonx.data Denial of Service",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36140",
        "datePublished": "2025-12-08T22:11:02.760Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-12-09T16:04:58.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-36144 (GCVE-0-2025-36144)

    Vulnerability from cvelistv5 – Published: 2025-09-27 00:05 – Updated: 2025-09-29 14:04
    VLAI
    Title
    IBM watsonx.data information disclosure
    Summary
    IBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7246267 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36144",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-29T14:04:19.766656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-29T14:04:30.872Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user.\u003c/span\u003e"
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-27T00:05:08.668Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7246267"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.1 or watsonx.data on CPD 5.1. Installation/upgrade instructions can be found here \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.1.x?topic=watsonxdata-installing.\"\u003ehttps://www.ibm.com/docs/en/software-hub/5.1.x?topic=watsonxdata-installing.\u003c/a\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.1 or watsonx.data on CPD 5.1. Installation/upgrade instructions can be found here  https://www.ibm.com/docs/en/software-hub/5.1.x?topic=watsonxdata-installing."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data information disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36144",
        "datePublished": "2025-09-27T00:05:08.668Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-09-29T14:04:30.872Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36146 (GCVE-0-2025-36146)

    Vulnerability from cvelistv5 – Published: 2025-09-18 15:15 – Updated: 2025-09-19 17:09
    VLAI
    Title
    IBM watsonx.data information disclosure
    Summary
    IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7245384 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36146",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-19T17:00:35.669474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-19T17:09:17.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system."
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-497",
                  "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-18T15:16:49.479Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7245384"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing https://www.ibm.com/docs/en/software-hub/5.2.x ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data information disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36146",
        "datePublished": "2025-09-18T15:15:58.809Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-09-19T17:09:17.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36143 (GCVE-0-2025-36143)

    Vulnerability from cvelistv5 – Published: 2025-09-18 15:14 – Updated: 2025-09-19 17:09
    VLAI
    Title
    IBM watsonx.data command execution
    Summary
    IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7245379 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36143",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-19T17:00:44.873074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-19T17:09:23.671Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input."
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-18T15:14:41.611Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7245379"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing https://www.ibm.com/docs/en/software-hub/5.2.x ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data command execution",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36143",
        "datePublished": "2025-09-18T15:14:41.611Z",
        "dateReserved": "2025-04-15T21:16:19.940Z",
        "dateUpdated": "2025-09-19T17:09:23.671Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36139 (GCVE-0-2025-36139)

    Vulnerability from cvelistv5 – Published: 2025-09-18 15:13 – Updated: 2025-09-19 17:09
    VLAI
    Title
    IBM watsonx.data cross-site scripting
    Summary
    IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7245387 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM watsonx.data Affected: 2.2
        cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-19T17:00:54.781517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-19T17:09:30.745Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:watsonx.data:2.2:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "watsonx.data",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
                }
              ],
              "value": "IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-18T15:13:10.913Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7245387"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/software-hub/5.2.x?topic=watsonxdata-installing\"\u003ehttps://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "The product needs to be installed or upgraded to the latest available level watsonx.data 2.2.1 or watsonx.data on CPD 5.2.1  Installation/upgrade instructions can be found here:  https://www.ibm.com/docs/en/watsonx/watsonxdata/2.2.x?topic=deployment-installing https://www.ibm.com/docs/en/software-hub/5.2.x ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM watsonx.data cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2025-36139",
        "datePublished": "2025-09-18T15:13:10.913Z",
        "dateReserved": "2025-04-15T21:16:19.008Z",
        "dateUpdated": "2025-09-19T17:09:30.745Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }