Primary

Context

IBM Db2 XML External Entity Injection Vulnerability

Vulnerability

Patched

A vulnerability allowing XML external entity injection (XXE) has been identified in IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, versions 11.5.0 prior to 11.5.9 and 12.1.0 prior to 12.1.3. This vulnerability arises when the application processes XML data, potentially allowing remote attackers to access sensitive information or exhaust memory resources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information or excessive memory consumption, potentially causing a denial-of-service condition.

Remediation

Users can download special builds containing the interim fix for this vulnerability from Fix Central. These builds are available for Db2 versions 11.5.9, 12.1.2, and 12.1.3. Instructions for downloading these special builds are available on the IBM Support website.

Added: Feb 17, 2026, 6:26 PM

Updated: Feb 17, 2026, 6:26 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

4.9

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

4.9

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

IBM Db2 XML External Entity Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

IBM Db2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating