← All CVEs

CVE-2026-3603

HIGH 7.1

Published 2026-05-26 · Last modified 2026-05-27

IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through  Interim Fix 021, 7.1.0  Interim Fix 001 through  Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

ELEVATED IMPACT

Severe if exploited (CVSS 7.1), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.4%chance of exploitation in 30 days · 27th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.1CVSS 3.1 · HIGH

  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityLow

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires a low-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Ibm

Products Engineering Lifecycle Management

Weakness (CWE)

  • CWE-611: XML external entity (XXE)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

References

Patches & mitigations

Sources: NVD · CVE.org · EPSS