8,265 CVEs

10 in CISA KEV

IBM Vulnerabilities

CVE security advisories and vulnerability history for IBM.

8,265

Total CVEs

Published

10

In CISA KEV

Exploited in the wild

309

Public exploits

With known exploit

5.8

Avg CVSS

1999–2026

Overview

IBM has 8,265 published CVE records since 1999, of which 10 are in CISA's Known Exploited Vulnerabilities catalog and 309 have a known public exploit. The average CVSS base score across scored CVEs is 5.8.

This page aggregates every publicly disclosed vulnerability (CVE) affecting IBM products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of IBM's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical104

High722

Medium3,147

Low284

4,008 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

10

10 of IBM's CVEs are confirmed exploited in the wild.

Public exploits

309

309 of IBM's CVEs have a known public exploit available.

Most affected products

The IBM products with the most published CVEs.

linux kernel937 CVEs
aix824 CVEs
windows718 CVEs
websphere application server454 CVEs
db2335 CVEs
Rational Quality Manager202 CVEs
solaris197 CVEs
Sterling B2B Integrator196 CVEs

Common weakness types

The CWE weakness categories most often found in IBM CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish IBM CVE records.

Disclosure activity by year

How many IBM CVEs were published each year.

2019

478

2020

575

2021

608

2022

416

2023

416

2024

511

2025

606

2026

263

Latest IBM CVEs

The most recently disclosed vulnerabilities affecting IBM.

IBM WebSphere Application Server is affected by remote code execution
CWE-502
High · CVSS 8.5
EPSS 0.4%2026-06-01
IBM WebSphere Application Server is affected by a remote code execution vulnerability
CWE-502
Critical · CVSS 9.0
EPSS 0.2%2026-06-01
IBM WebSphere Application Server is affected by remote code execution
CWE-94
Critical · CVSS 9.0
EPSS 0.3%2026-06-01
IBM WebSphere Application Server is affected by an identity spoofing vulnerability
CWE-290
Critical · CVSS 9.1
EPSS 0.0%2026-06-01
IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator
CWE-74
High · CVSS 8.8
EPSS 0.2%2026-06-01
IBM Business Automation Workflow information leak
CWE-209
Medium · CVSS 4.3
EPSS 0.0%2026-05-27
Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration
CWE-287
Critical · CVSS 9.1
EPSS 0.0%2026-05-27
IBM Operations Analytics - Log Analysis is affected by Information disclosure due to default passwords not being forced to be changed on post-installation
CWE-1392
High · CVSS 8.4
EPSS 0.0%2026-05-27
IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
CWE-530
High · CVSS 7.2
EPSS 0.1%2026-05-27
IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate Account Lockout Mechanism
CWE-521
Medium · CVSS 5.9
EPSS 0.0%2026-05-27
Security vulnerability was found in IBM Security Directory Integrator
CWE-209
Medium · CVSS 5.3
EPSS 0.0%2026-05-27
Multiple vulnerabilities in Aspera applications.
CWE-22
Medium · CVSS 6.5
EPSS 0.0%2026-05-27

Track new IBM CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor IBM CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

oracle10,440 CVEs debian10,201 CVEs Adobe7,222 CVEs cisco6,813 CVEs redhat5,883 CVEs Bitnami5,647 CVEs fedoraproject5,442 CVEs composer5,054 CVEs

Browse all vendors

Frequently asked questions

Common questions about IBM vulnerabilities.

How many CVEs does IBM have?

IBM has 8,265 published CVE records since 1999, including 869 in the last two years.

How many IBM CVEs are in CISA KEV?

Yes — 10 of IBM's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which IBM products have the most CVEs?

The IBM products with the most published CVEs are linux kernel, aix, windows, websphere application server, db2.

What are the most common weakness types in IBM CVEs?

IBM's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-20 (Improper Input Validation), CWE-209 (Generation of Error Message Containing Sensitive Information), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Are there public exploits for IBM vulnerabilities?

Yes — 309 of IBM's CVEs have a known public exploit.

How many critical IBM vulnerabilities are there?

IBM has 104 critical and 722 high-severity CVEs.

What is the average severity of IBM CVEs?

The average CVSS base score across IBM's scored CVEs is 5.8.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track IBM vulnerabilities

Monitor new IBM vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing