CVE Vulnerabilities

CVE-2026-13449

Improper Restriction of XML External Entity Reference

Published: Jun 30, 2026 | Modified: Jul 02, 2026
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io logo minimus.io logo echo.ai logo

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

NameVendorStart VersionEnd Version
Business_automation_managerIbm9.0.0 (including)9.5.0 (excluding)

Potential Mitigations

References