CVE-2025-36247

CWE-611XML External Entity (XXE)4 documents4 sources
Severity
8.2HIGH
EPSS
0.2%
top 57.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM DB2
Timeline
PublishedFeb 17

Description

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages1 packages

NVDibm/db211.5.011.5.9+1

🔴Vulnerability Details

2
GHSA
GHSA-f8p4-3gj8-2gxj: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 112026-02-17
CVEList
IBM Db2 XML External Entity Reference2026-02-17

🕵️Threat Intelligence

1
Wiz
CVE-2025-36247 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-36247 (HIGH CVSS 8.2) | IBM Db2 for Linux | cvebase.io