CVE-2026-3660
published 2026-05-26CVE-2026-3660: IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.3th percentile
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | engineering_lifecycle_management | — | — |
| ibm | engineering_lifecycle_management | — | — |
| ibm | engineering_lifecycle_management | — | — |
| ibm | engineering_lifecycle_management | 7.0.3 – Interim Fix 021 | — |
| ibm | engineering_lifecycle_management | 7.1.0 – Interim Fix 009 | — |
| ibm | engineering_lifecycle_management | 7.2.0 – Interim Fix 001 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
IBM Engineering Lifecycle Management authorization (EUVD-2026-31954)
vuldb·2026-05-26·CVSS 9.8
CVE-2026-3660 [CRITICAL] IBM Engineering Lifecycle Management authorization (EUVD-2026-31954)
A vulnerability classified as very critical was found in IBM Engineering Lifecycle Management. Affected by this vulnerability is an unknown functionality. Such manipulation leads to incorrect authorization.
This vulnerability is referenced as CVE-2026-3660. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
GHSA
GHSA-cxh9-m8x4-52q5: IBM Engineering Lifecycle Management 7
ghsa_unreviewed·2026-05-26
CVE-2026-3660 [CRITICAL] CWE-863 GHSA-cxh9-m8x4-52q5: IBM Engineering Lifecycle Management 7
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
GHSA
nimiq-consensus panics via RequestMacroChain micro-block locator
ghsa·2026-04-13
CVE-2026-34069 [MEDIUM] CWE-617 nimiq-consensus panics via RequestMacroChain micro-block locator
nimiq-consensus panics via RequestMacroChain micro-block locator
### Impact
An unauthenticated p2p peer can cause the `RequestMacroChain` message handler task to panic by sending a `RequestMacroChain` message where the first locator hash that is on the victim’s main chain is a micro block hash (not a macro block hash).
In `RequestMacroChain::handle`, the handler selects the locator based only on "is on main chain", then calls `get_macro_blocks()` and panics via `.unwrap()` when the selected hash is not a macro block (`BlockchainError::BlockIsNotMacro`).
### Patches
The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3660) is formally released as part of [v1.3.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0).
### Workarounds
No known worka
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published