wid-sec-w-2026-0574 · Published 2026-03-02 · View on BSI CERT-Bund ↗

IBM App Connect Enterprise: Multiple Vulnerabilities

CVSS 7.1 HIGH

Risk Summary

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition. Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.

CVEs (7)

CVE-2025-13490 CVE-2026-2327 CVE-2026-24398 CVE-2026-24472 CVE-2026-24473 CVE-2026-24771 CVE-2026-25536

Affected Vendors

IBM

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more