{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13096", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-11-12T21:55:13.229Z", "datePublished": "2026-02-02T20:56:48.318Z", "dateUpdated": "2026-02-02T20:56:48.318Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:*"], "product": "Business Automation Workflow containers", "vendor": "IBM", "versions": [{"lessThanOrEqual": "V25.0.0-IF002", "status": "affected", "version": "V25.0.0", "versionType": "semver"}, {"lessThanOrEqual": "V24.0.1-IF005", "status": "affected", "version": "V24.0.1", "versionType": "semver"}, {"lessThanOrEqual": "V24.0.0-IF007", "status": "affected", "version": "V24.0.0", "versionType": "semver"}]}, {"cpes": ["cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*", "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"], "product": "Business Automation Workflow traditional", "vendor": "IBM", "versions": [{"status": "affected", "version": "25.0.0"}, {"status": "affected", "version": "24.0.1"}, {"status": "affected", "version": "24.0.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM Business Automation Workflow containers V25.0.0 through V25.0.0<span style=\"background-color: rgb(255, 255, 255);\">-IF007</span>, V24.0.1 - V24.0.1<span style=\"background-color: rgb(255, 255, 255);\">-IF007</span>, V24.0.0 - V24.0.0<span style=\"background-color: rgb(255, 255, 255);\">-IF007</span> and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A&nbsp;remote attacker could exploit this vulnerability to expose sensitive information or consume memory&nbsp;resources.</p>"}], "value": "IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u00a0remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u00a0resources."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-02-02T20:56:48.318Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7259321"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\">DT456229</a>&nbsp;as soon as practical.</p><div><table><thead><tr><th>Affected Product(s)</th><th>Version(s)</th><th>Remediation / Fix</th></tr></thead><tbody><tr><td>IBM Business Automation Workflow containers</td><td>V25.0.0</td><td>Apply <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\">25.0.0-IF003</a></td></tr><tr><td>IBM Business Automation Workflow containers</td><td>V24.0.1</td><td>Apply <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\">24.0.1-IF006</a></td></tr><tr><td>IBM Business Automation Workflow containers</td><td>V24.0.0</td><td>Apply <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\">24.0.0-IF008</a></td></tr><tr><td>IBM Business Automation Workflow traditional</td><td>V25.0.0</td><td>Apply <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\">DT456229</a>&nbsp;included in <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes\">25.0.0-IF003</a></td></tr><tr><td>IBM Business Automation Workflow traditional </td><td>V24.0.1</td><td>Apply <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\">DT456229</a>&nbsp;included in <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes\">24.0.1-IF006</a></td></tr><tr><td>IBM Business Automation Workflow traditional &nbsp;</td><td>V24.0.0</td><td>Apply <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\">DT456229</a>&nbsp;included in <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes\">24.0.0-IF008</a></td></tr></tbody></table></div><p>&nbsp;</p><br>"}], "value": "The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0as soon as practical.\n\nAffected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0Apply 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1Apply 24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0Apply 24.0.0-IF008 https://www.ibm.com/support/pages/node/7159792 IBM Business Automation Workflow traditionalV25.0.0Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes IBM Business Automation Workflow traditional V24.0.1Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 24.0.1-IF006 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes IBM Business Automation Workflow traditional \u00a0V24.0.0Apply DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in 24.0.0-IF008 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes"}], "title": "XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -", "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u00a0remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u00a0resources."}], "id": "CVE-2025-13096", "lastModified": "2026-02-02T23:15:58.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-02-02T23:15:58.600", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7259321"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{}