This page lists publicly disclosed CVE vulnerabilities affecting ibm i (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-6936 | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements. | [email protected] | 6.5 | 0.04% | 2026-05-27 | 2026-05-28 |
| CVE-2026-2311 | IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check. A malicious actor could cause user-controlled code to run with administrator privilege. | [email protected] | 6.4 | 0.03% | 2026-04-30 | 2026-05-01 |
| CVE-2026-1376 | IBM i 7.6 could allow a remote attacker to cause a denial of service using failed authentication connections due to improper allocation of resources. | [email protected] | 7.5 | 0.07% | 2026-03-17 | 2026-03-19 |
| CVE-2025-36371 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user with access to the database plan cache could see information they do not have authority to view. | [email protected] | 6.5 | 0.03% | 2025-11-19 | 2025-11-24 |
| CVE-2025-36367 | IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host operating system. | [email protected] | 8.8 | 0.03% | 2025-11-01 | 2025-11-05 |
| CVE-2025-36119 | IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator. | [email protected] | 7.1 | 0.08% | 2025-08-08 | 2025-08-15 |
| CVE-2025-33109 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 is vulnerable to a privilege escalation caused by an invalid database authority check. A bad actor could execute a database procedure or function without having all required permissions, in addition to causing denial of service for some database actions. | [email protected] | 7.5 | 0.15% | 2025-07-24 | 2025-08-11 |
| CVE-2025-36004 | IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user to gain elevated privileges due to an unqualified library call in IBM Facsimile Support for i. A malicious actor could cause user-controlled code to run with administrator privilege. | [email protected] | 8.8 | 0.24% | 2025-06-25 | 2025-07-03 |
| CVE-2025-33122 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 could allow a user to gain elevated privileges due to an unqualified library call in IBM Advanced Job Scheduler for i. A malicious actor could cause user-controlled code to run with administrator privilege. | [email protected] | 7.5 | 0.18% | 2025-06-17 | 2025-07-03 |
| CVE-2025-33108 | IBM Backup, Recovery and Media Services for i 7.4 and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to a library unqualified call made by a BRMS program. A malicious actor could cause user-controlled code to run with component access to the host operating system. | [email protected] | 8.5 | 0.18% | 2025-06-14 | 2025-08-20 |
| CVE-2025-33103 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. | [email protected] | 8.5 | 0.18% | 2025-05-17 | 2025-06-04 |
| CVE-2025-3218 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 is vulnerable to authentication and authorization attacks due to incorrect validation processing in IBM i Netserver. A malicious actor could use the weaknesses, in conjunction with brute force authentication attacks or to bypass authority restrictions, to access the server. | [email protected] | 5.4 | 0.10% | 2025-05-07 | 2025-07-03 |
| CVE-2025-2950 | IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address which may lead to unexpected behavior. | [email protected] | 5.4 | 0.06% | 2025-04-18 | 2025-07-03 |
| CVE-2025-2947 | IBM i 7.6 contains a privilege escalation vulnerability due to incorrect profile swapping in an OS command. A malicious actor can use the command to elevate privileges to gain root access to the host operating system. | [email protected] | 7.2 | 0.17% | 2025-04-17 | 2025-07-17 |
| CVE-2024-55898 | IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. | [email protected] | 8.5 | 0.07% | 2025-02-24 | 2025-07-03 |
| CVE-2024-52895 | IBM i 7.4 and 7.5 is vulnerable to a database access denial of service caused by a bypass of a database capabilities restriction check. A privileged bad actor can remove or otherwise impact database infrastructure files resulting in incorrect behavior of software products that rely upon the database. | [email protected] | 6.5 | 0.02% | 2025-02-14 | 2025-07-03 |
| CVE-2024-35122 | IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to a file level local denial of service caused by an insufficient authority requirement. A local non-privileged user can configure a referential constraint with the privileges of a user socially engineered to access the target file. | [email protected] | 2.8 | 0.04% | 2025-01-24 | 2025-09-29 |
| CVE-2024-55896 | IBM PowerHA SystemMirror for i 7.4 and 7.5 contains improper restrictions when rendering content via iFrames. This vulnerability could allow an attacker to gain improper access and perform unauthorized actions on the system. | [email protected] | 5.4 | 0.09% | 2025-01-03 | 2025-08-19 |
| CVE-2024-51464 | IBM i 7.3, 7.4, and 7.5 is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i. | [email protected] | 4.3 | 0.96% | 2024-12-21 | 2025-11-03 |
| CVE-2024-51463 | IBM i 7.3, 7.4, and 7.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | [email protected] | 5.4 | 3.26% | 2024-12-21 | 2025-11-03 |