CVE-2026-3603— IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external entity injection (XXE) attack
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 3
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| IBM | Engineering Lifecycle Management | 7.0.3 ( Interim Fix 001≤ ) Interim Fix 021 | affected |
7.1.0 ( Interim Fix 001≤ ) Interim Fix 009 | affected | ||
7.2.0 and 7.2.0 Interim Fix 001≤ Interim Fix 001 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-3603
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external entity injection (XXE) attack
Source: NVD (National Vulnerability Database)
Vulnerability Description
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| IBM | Engineering Lifecycle Management | 7.0.3 ( Interim Fix 001 ~ ) Interim Fix 021 | cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:interim_fix_001:*:*:*:*:*:* |
II. Public POCs for CVE-2026-3603
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-3603
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-3603 (1)
Same Patch Batch · IBM · 2026-05-26 · 20 CVEs total
| CVE-2026-3660 | 9.8 CRITICAL | IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Byp |
| CVE-2026-8633 | 9.8 CRITICAL | IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by |
| CVE-2026-8855 | 8.1 HIGH | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2026-8834 | 8.0 HIGH | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2026-8856 | 7.7 HIGH | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2026-9170 | 7.5 HIGH | IBM WebSphere Application Server and WebSphere Application Server Liberty are affected DOS |
| CVE-2026-8620 | 7.5 HIGH | IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by |
| CVE-2026-8854 | 7.5 HIGH | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2026-8850 | 7.5 HIGH | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2026-8835 | 7.3 HIGH | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2026-4051 | 7.2 HIGH | IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth R |
| CVE-2025-36126 | 6.4 MEDIUM | IBM Cognos Analytics is affected by multiple security vulnerabilities |
| CVE-2026-8852 | 6.2 MEDIUM | IBM HTTP Server is affected by multiple vulnerabilities |
| CVE-2025-13755 | 5.5 MEDIUM | IBM® Db2® is vulnerable to credential exposure in db2diag when executing specific testcase |
| CVE-2025-36148 | 5.4 MEDIUM | IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to c |
| CVE-2025-36145 | 5.4 MEDIUM | Multiple Vulnerabilities in watsonx.data |
| CVE-2025-14290 | 5.4 MEDIUM | IBM webMethods Integration Sever is vulnerable to server-side request forgery |
| CVE-2025-36221 | 5.3 MEDIUM | Vulnerabilities exists in IBM Cloud Pak for Data System (CPDS 1.0) - Cyclops. |
| CVE-2025-36220 | 4.3 MEDIUM | Vulnerabilities exists in IBM Cloud Pak for Data System (CPDS 1.0) - Cyclops. |
IV. Related Vulnerabilities
Same product: Engineering Lifecycle Management
Same vendor: IBM
- CVE-2026-3660
IBM Engineering Lifecycle Management - Jazz Foundation is vu - CVE-2026-4051
IBM Engineering Lifecycle Management - Jazz Foundation is vu - CVE-2026-9170
IBM WebSphere Application Server and WebSphere Application S - CVE-2026-8633
IBM WebSphere Application Server and WebSphere Application S - CVE-2026-8620
IBM WebSphere Application Server and WebSphere Application S
Same weakness: CWE-611
- CVE-2026-2253
Hitachi Vantara Pentaho Data Integration & Analytics - Impro - CVE-2026-44618
Apache CXF: XXE vulnerability in WS-Transfer functionality - CVE-2026-46722
XML External Entity Injection in extension "Faceted Search" - CVE-2026-44445
ERPNext: XML External Entity (XEE) Reference Vulnerability i - CVE-2026-41895
changedetection.io: XXE vulnerability in the changedetection
V. Comments for CVE-2026-3603
No comments yet