What is CVE-2026-3603?

CVE-2026-3603 is a high-severity vulnerability in Ibm Engineering Lifecycle Management, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.1/10. Published 2026-05-26.

How severe is CVE-2026-3603?

High severity. CVSS v3 base score is 7.1 out of 10.

XXE in Ibm Engineering Lifecycle Management

CVE-2026-3603

IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when p…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.000 (6.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L.

Affected products

Ibm Engineering Lifecycle Management — versions 7.0.3 Interim Fix 001, 7.1.0 Interim Fix 001, 7.2.0 and 7.2.0 Interim Fix 001
Ibm Engineering_lifecycle_management — versions 7.0.3, 7.1.0, 7.2.0

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

psirt@us.ibm.com (vendor-advisory, Patch, patch, Vendor Advisory)

Frequently asked questions

What is CVE-2026-3603?: CVE-2026-3603 is a high-severity vulnerability in Ibm Engineering Lifecycle Management, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.1/10. Published 2026-05-26.
How severe is CVE-2026-3603?: High severity. CVSS v3 base score is 7.1 out of 10.