{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3602", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-03-05T14:48:57.881Z", "datePublished": "2026-06-30T19:19:47.135Z", "dateUpdated": "2026-06-30T19:31:02.140Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-30T19:19:47.135Z"}, "title": "IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "App Connect Enterprise", "versions": [{"status": "affected", "version": "13.0.1.0", "lessThanOrEqual": "13.0.7.2", "versionType": "semver"}, {"status": "affected", "version": "12.0.1.0", "lessThanOrEqual": "12.0.12.26", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:app_connect_enterprise:13.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:app_connect_enterprise:13.0.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:app_connect_enterprise:12.0.12.26:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Integration Bus for z/OS", "versions": [{"status": "affected", "version": "10.1.0.0", "lessThanOrEqual": "10.1.0.7", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:integration_bus_for_zos:10.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:integration_bus_for_zos:10.1.0.7:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7278350", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS Affected Product(s)Version(s)APARRemediation / FixesIBM App Connect Enterprise13.0.1.0 - 13.0.7.2PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0IBM App Connect Enterprise12.0.1.0 -\u00a012.0.12.26\u00a0PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27IBM Integration Bus for z/OS10.1.0.0 - 10.1.0.7PH71150Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from\u00a0IBM Fix Central", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><strong>IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS </strong></p><div><table><colgroup><col/><col/><col/><col/></colgroup><tbody><tr><td>Affected Product(s)</td><td>Version(s)</td><td>APAR</td><td>Remediation / Fixes</td></tr><tr><td>IBM App Connect Enterprise</td><td>13.0.1.0 - 13.0.7.2</td><td>PH71150</td><td><p>The APAR (PH71150) is available from</p><p><a href=\"https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-13080\" rel=\"noopener noreferrer nofollow\">IBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0</a></p></td></tr><tr><td>IBM App Connect Enterprise</td><td>12.0.1.0 -\u00a012.0.12.26\u00a0</td><td>PH71150</td><td><p>The APAR (PH71150) is available from</p><p><a href=\"https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-1201227-fix-pack\" rel=\"noopener noreferrer nofollow\">IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27</a></p></td></tr><tr><td>IBM Integration Bus for z/OS</td><td>10.1.0.0 - 10.1.0.7</td><td>PH71150</td><td><p>Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from\u00a0</p><p><a href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/Integration+Bus&amp;release=10.1.0.7&amp;platform=All&amp;function=aparId&amp;apars=PH71150\" rel=\"nofollow\">IBM Fix Central</a></p></td></tr></tbody></table></div>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-30T19:30:51.792018Z", "id": "CVE-2026-3602", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T19:31:02.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3602", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-30T19:30:51.792018Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T19:30:55.810Z"}}], "cna": {"title": "IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:app_connect_enterprise:13.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:app_connect_enterprise:13.0.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:app_connect_enterprise:12.0.12.26:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "App Connect Enterprise", "versions": [{"status": "affected", "version": "13.0.1.0", "versionType": "semver", "lessThanOrEqual": "13.0.7.2"}, {"status": "affected", "version": "12.0.1.0", "versionType": "semver", "lessThanOrEqual": "12.0.12.26"}]}, {"cpes": ["cpe:2.3:a:ibm:integration_bus_for_zos:10.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:integration_bus_for_zos:10.1.0.7:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Integration Bus for z/OS", "versions": [{"status": "affected", "version": "10.1.0.0", "versionType": "semver", "lessThanOrEqual": "10.1.0.7"}]}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS Affected Product(s)Version(s)APARRemediation / FixesIBM App Connect Enterprise13.0.1.0 - 13.0.7.2PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0IBM App Connect Enterprise12.0.1.0 -\u00a012.0.12.26\u00a0PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27IBM Integration Bus for z/OS10.1.0.0 - 10.1.0.7PH71150Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from\u00a0IBM Fix Central", "supportingMedia": [{"type": "text/html", "value": "<p><strong>IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS </strong></p><div><table><colgroup><col/><col/><col/><col/></colgroup><tbody><tr><td>Affected Product(s)</td><td>Version(s)</td><td>APAR</td><td>Remediation / Fixes</td></tr><tr><td>IBM App Connect Enterprise</td><td>13.0.1.0 - 13.0.7.2</td><td>PH71150</td><td><p>The APAR (PH71150) is available from</p><p><a href=\"https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-13080\" rel=\"noopener noreferrer nofollow\">IBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0</a></p></td></tr><tr><td>IBM App Connect Enterprise</td><td>12.0.1.0 -\u00a012.0.12.26\u00a0</td><td>PH71150</td><td><p>The APAR (PH71150) is available from</p><p><a href=\"https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-1201227-fix-pack\" rel=\"noopener noreferrer nofollow\">IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27</a></p></td></tr><tr><td>IBM Integration Bus for z/OS</td><td>10.1.0.0 - 10.1.0.7</td><td>PH71150</td><td><p>Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from\u00a0</p><p><a href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/Integration+Bus&amp;release=10.1.0.7&amp;platform=All&amp;function=aparId&amp;apars=PH71150\" rel=\"nofollow\">IBM Fix Central</a></p></td></tr></tbody></table></div>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7278350", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-30T19:19:47.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3602", "state": "PUBLISHED", "dateUpdated": "2026-06-30T19:31:02.140Z", "dateReserved": "2026-03-05T14:48:57.881Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-06-30T19:19:47.135Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{}

{}

{"created": "2026-06-30T21:30:17.318736+00:00", "updated": "2026-06-30T21:30:17.318741+00:00", "vendors": []}