CVE-2026-3603
Analyzed Analyzed - Analysis Complete
XXE Vulnerability in IBM Engineering Lifecycle Management

Publication date: 2026-05-26

Last updated on: 2026-06-02

Assigner: IBM Corporation

Description
IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through  Interim Fix 021, 7.1.0  Interim Fix 001 through  Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3603
EUVD
EUVD-2026-31952
Affected Vendors & Products
Showing 33 associated CPEs
Vendor Product Version / Range
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.0.3
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.1.0
ibm engineering_lifecycle_management 7.2.0
ibm engineering_lifecycle_management 7.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the XML external entity injection (XXE) vulnerability in IBM Engineering Lifecycle Management affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-3603 is an XML external entity injection (XXE) vulnerability in IBM Engineering Lifecycle Management - Jazz Foundation. It occurs when the software improperly processes XML data containing external entity references, allowing an authenticated attacker to exploit this flaw.

By exploiting this vulnerability, an attacker can expose sensitive information or consume memory resources on the affected system.

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to access sensitive information that should be protected within the system.

Additionally, the attacker could consume memory resources, potentially leading to degraded system performance or denial of service conditions.

The vulnerability has a high severity score of 7.1, indicating significant risk if exploited.

Detection Guidance

IBM recommends evaluating the impact of this vulnerability in your environment using the provided CVSS references. However, no specific detection commands or methods are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, IBM recommends upgrading to the following specific Interim Fixes (iFixes): iFix022 for version 7.0.3, iFix010 for version 7.1.0, and iFix002 for version 7.2.0.

No workarounds or other mitigations are currently available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart