Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-36436— Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.

CVSS 6.4 · Medium EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-36436

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026.
Source: NVD (National Vulnerability Database)
Vulnerability Description
IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007  is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
IBM Cloud Pak for Business Automation 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
IBM Cloud Pak for Business Automation是美国国际商业机器(IBM)公司的一组模块化的集成软件组件,专为任何混合云而构建,旨在实现工作自动化和加速业务增长。 IBM Cloud Pak for Business Automation 25.0.0至25.0.0 Interim Fix 002版本、24.0.1至24.0.1 Interim Fix 005版本和24.0.0至24.0.0 Interim Fix 007版本存在跨站脚本漏洞,该漏洞源于经过身份验证的用户可以在
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
IBMCloud Pak for Business Automation 25.0.0 ~ 25.0.0 Interim Fix 002 cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:*:*:*:*:*:*:*

II. Public POCs for CVE-2025-36436

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-36436

登录查看更多情报信息。

Same Patch Batch · IBM · 2026-02-02 · 7 CVEs total

CVE-2025-149147.6 HIGHIBM WebSphere Application Server Liberty Path Traversal
CVE-2025-130967.1 HIGHXML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow
CVE-2025-362386.0 MEDIUMPower System Exposure of Sensitive System Information
CVE-2025-362535.9 MEDIUMMultiple Vulnerabilities in IBM Concert Software.
CVE-2025-153954.3 MEDIUMIBM Jazz Foundation access control violation
CVE-2025-361942.8 LOWThis Power System update is being released to address

IV. Related Vulnerabilities

Same product: Cloud Pak for Business Automation
Same vendor: IBM
Same weakness: CWE-79

V. Comments for CVE-2025-36436

No comments yet

Leave a comment