Cyber Resilience

CVE-2026-3603

High

Published: 26 May 2026

Published
26 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0035 27.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3603 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Ibm Engineering Lifecycle Management. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML…

more

data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

XXE vulnerability in a server application directly enables exploitation of public-facing apps for info disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3660Same product: Ibm Engineering Lifecycle Management
CVE-2026-4051Same product: Ibm Engineering Lifecycle Management
CVE-2024-49352Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2026-1567Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm
CVE-2026-8644Same vendor: Ibm
CVE-2026-9319Same vendor: Ibm
CVE-2026-3366Same vendor: Ibm
CVE-2024-41787Same vendor: Ibm

Affected Assets

ibm
engineering lifecycle management
7.0.3, 7.1.0, 7.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References