CVE-2026-13449 PUBLISHED

XXE attack in IBM Business Automation Manager Open Editions

Assigner: ibm
Reserved: 26.06.2026 Published: 30.06.2026 Updated: 01.07.2026

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
CVSS Score: 7.6

Product Status

Vendor IBM
Product Business Automation Manager Open Editions
Versions
  • affected from 9.0.0 to 9.4.2 (incl.)

Solutions

Product(s)Version(s) number and/or rangeRemediation/Fix/InstructionsIBM Business Automation Manager Open Editions9.0.0 - 9.4.2Update to 9.5.0 using the following instructions IBM Business Automation Manager Open Editions 9.5 Download Document https://www.ibm.com/support/pages/node/7277082 Note: The reference link is not yet publicly available and will be provided once the GA (General Availability) release is announced.

References

Problem Types

  • CWE-611 Improper Restriction of XML External Entity Reference CWE