CVE-2026-9035— Multiple vulnerabilities in Aspera applications.
Possible ATT&CK Techniques 1AI
T1552.002 · Credentials in RegistryAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| IBM | Aspera High-Speed Transfer Endpoint | 3.7.4≤ 4.4.7 Fix Pack 1 | affected |
| IBM | Aspera High-Speed Transfer Server | 3.7.4≤ 4.4.7 Fix Pack 1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9035
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Multiple vulnerabilities in Aspera applications.
Source: NVD (National Vulnerability Database)
Vulnerability Description
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
IBM Aspera High-Speed Transfer Endpoint和IBM Aspera High-Speed Transfer Server 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
IBM Aspera High-Speed Transfer Endpoint和IBM Aspera High-Speed Transfer Server都是美国国际商业机器(IBM)公司的产品。IBM Aspera High-Speed Transfer Endpoint是一个高速文件传输与数据交换节点服务。IBM Aspera High-Speed Transfer Server是一个高速文件传输与数据交换服务器平台。 IBM Aspera High-Speed Transfer Endpoint 3
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| IBM | Aspera High-Speed Transfer Endpoint | 3.7.4 ~ 4.4.7 Fix Pack 1 | cpe:2.3:a:ibm:aspera_high_speed_transfer_endpoint:3.7.4:*:*:*:*:*:*:* | |
| IBM | Aspera High-Speed Transfer Server | 3.7.4 ~ 4.4.7 Fix Pack 1 | cpe:2.3:a:ibm:aspera_high_speed_transfer_server:3.7.4:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-9035
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9035
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9035 (1)
- 🔗 Security Bulletin: Multiple vulnerabilities in Aspera applications. Read full article vendor-advisorypatch
Same Patch Batch · IBM · 2026-05-27 · 29 CVEs total
| CVE-2026-8175 | 9.8 CRITICAL | Multiple vulnerabilities in Aspera applications. |
| CVE-2026-7524 | 9.8 CRITICAL | Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System |
| CVE-2026-5065 | 8.8 HIGH | IBM Controller is affected by vulnerabilities |
| CVE-2026-8179 | 8.8 HIGH | Multiple vulnerabilities in Aspera applications. |
| CVE-2026-7365 | 8.4 HIGH | IBM Operations Analytics - Log Analysis is affected by Information disclosure due to defau |
| CVE-2026-3623 | 7.8 HIGH | Vulnerabilities exists in IBM Netezza Performance Server Replication Services |
| CVE-2026-3366 | 7.5 HIGH | InfoSphere Optim Test Data Fabrication is affected by Arbitrary File Read |
| CVE-2026-8180 | 7.5 HIGH | Multiple vulnerabilities in Aspera applications. |
| CVE-2024-56462 | 7.2 HIGH | IBM QRadar SIEM is vulnerable to using components with known vulnerabilities |
| CVE-2026-1718 | 7.1 HIGH | IBM® Db2® is vulnerable to a denial of service with a specially crafted query when running |
| CVE-2026-7528 | 7.1 HIGH | Unauthenticated File Upload Vulnerability Allows Disk Space Exhaustion and Path Disclosure |
| CVE-2026-6938 | 6.5 MEDIUM | IBM® Db2® is vulnerable to authorization bypass when uploading to a remote object storage |
| CVE-2026-8405 | 6.5 MEDIUM | IBM Guardium Data Protection is affected by Exposure of Sensitive Information vulnerabilit |
| CVE-2026-6936 | 6.5 MEDIUM | IBM i is Affected by a Denial of Service Vulnerability [] |
| CVE-2026-6052 | 6.5 MEDIUM | IBM® Db2® is vulnerable to running out of memory when executing certain queries with MDC t |
| CVE-2026-3676 | 6.5 MEDIUM | There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Man |
| CVE-2024-40684 | 5.9 MEDIUM | IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate |
| CVE-2026-6053 | 5.5 MEDIUM | IBM® Db2® is vulnerable to a denial of service when a specially crafted query is run with |
| CVE-2026-6051 | 5.5 MEDIUM | IBM® Db2® is vulnerable to a denial of service when executing a specially crafted query wi |
| CVE-2026-5515 | 5.5 MEDIUM | IBM App Connect Enterprise is vulnerable to a confidential disclosure |
Showing top 20 of 29 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same vendor: IBM
- CVE-2026-4870
Qiskit SDK is vulnerable to specific functions may recurse t - CVE-2024-45636
IBM Security QRadar EDR Software has a vulnerability where u - CVE-2026-3341
IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SS - CVE-2026-4096
A vulnerability has been identified in IBM DevOps Plan that - CVE-2026-7787
Unauthenticated Session History Access via Public Flow Execu
Same weakness: CWE-22
- CVE-2026-11911
Simple File List <= 6.3.7 - Unauthenticated Arbitrary File D - CVE-2026-9843
Database for Contact Form 7, WPforms, Elementor forms <= 1.5 - CVE-2026-48129
Kestra task inputFiles accepts traversal filenames for worke - CVE-2026-49342
YARD static cache reads raw traversal paths before router sa - CVE-2026-49340
gonic has arbitrary file write in createPlaylist: any authen
V. Comments for CVE-2026-9035
No comments yet