Maximo Application Suite Security Bulletins-May 2026-2

By: Darlene Nerden on May 27th, 2026

Maximo Application Suite Security Bulletins-May 2026-2

IBM has released Maximo Application Suite Security Bulletins. The links to the bulletins are below. The bulletins contain information regarding when, where, and/or how to address the vulnerability.

Security bulletin: Security Bulletin: There is a vulnerability in marked-14.0.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-****-*****) –

https://www.ibm.com/support/pages/node/7271576?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: There is a vulnerability in jackson-core-2.15.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (WS-2026-0003) –

https://www.ibm.com/support/pages/node/7271569?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: There is a vulnerability in lodash-4.17.23.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-2950) –

https://www.ibm.com/support/pages/node/7271578?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses immutable-4.3.7.tgz which is vulnerable to CVE-2026-29063 –

https://www.ibm.com/support/pages/node/7271600?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses lodash-4.17.21.tgz, lodash-es-4.17.21.tgz which is vulnerable to CVE-2026-2950, CVE-2026-4800 –

https://www.ibm.com/support/pages/node/7271580?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses picomatch-2.3.1.tgz which is vulnerable to CVE-2026-33671, CVE-2026-33672 –

https://www.ibm.com/support/pages/node/7271603?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses PyJWT-2.10.1-py3-none-any.whl, pyjwt-2.11.0-py3-none-any.whl which is vulnerable to CVE-2026-32597 –

https://www.ibm.com/support/pages/node/7271601?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses pyasn1-0.6.2-py3-none-any.whl which is vulnerable to CVE-2026-30922 –

https://www.ibm.com/support/pages/node/7271602?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: Location Service for ESRI Component uses cryptography-46.0.6, pyasn1-0.6.2, requests-2.32.5 and cryptography-46.0.5 library which were vulnerable to multiple CVEs –

https://www.ibm.com/support/pages/node/7271702?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: There is a vulnerability in prismjs-1.23.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite ( CVE-2021-32723) –

https://www.ibm.com/support/pages/node/7271709?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: There is a vulnerability in requests-2.32.5-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-25645) –

https://www.ibm.com/support/pages/node/7271712?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses minimatch-10.1.2.tgz which is vulnerable to CVE-2026-26996 –

https://www.ibm.com/support/pages/node/7271718?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses ajv-6.12.6.tgz which is vulnerable to CVE-2025-69873 –

https://www.ibm.com/support/pages/node/7271717?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses filelock which is vulnerable to CVE-2026-22701 –

https://www.ibm.com/support/pages/node/7271721?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses lodash-4.17.23.tgz which is vulnerable to CVE-2026-2950, CVE-2026-4800 –

https://www.ibm.com/support/pages/node/7271716?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses filelock which is vulnerable to CVE-2026-22701 –

https://www.ibm.com/support/pages/node/7271723?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses Werkzeug which is vulnerable to CVE-2026-27199 –

https://www.ibm.com/support/pages/node/7271720?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses cryptography-46.0.3-cp311-abi3-manylinux_2_34_x86_64.whl which is vulnerable to CVE-2026-26007 –

https://www.ibm.com/support/pages/node/7271719?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite uses fast-xml-parser-4.5.3.tgz which is vulnerable to CVE-2026-25128, CVE-2026-25896 and CVE-2026-26278 –

https://www.ibm.com/support/pages/node/7271730?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses diff-8.0.2.tgz which is vulnerable to CVE-2026-24001 –

https://www.ibm.com/support/pages/node/7271734?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses black-26.1.0 which is vulnerable to CVE-2026-31900 –

https://www.ibm.com/support/pages/node/7271738?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses Lodash which is vulnerable to CVE-2025-13465 –

https://www.ibm.com/support/pages/node/7271740?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.7.tgz which is vulnerable to CVE-2026-26960 –

https://www.ibm.com/support/pages/node/7271732?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses axios-1.13.5.tgz which is vulnerable to CVE-2025-62718 and CVE-2026-40175 –

https://www.ibm.com/support/pages/node/7271733?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/image-v0.18.0 which is vulnerable to CVE-2026-33809 –

https://www.ibm.com/support/pages/node/7271736?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.2.tgz which is vulnerable to CVE-2026-24842 –

https://www.ibm.com/support/pages/node/7271742?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses axios-1.12.1.tgz which is vulnerable to CVE-2026-25639 –

https://www.ibm.com/support/pages/node/7271731?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses logback-core-1.5.21.jar which is vulnerable to CVE-2026-1225 –

https://www.ibm.com/support/pages/node/7271735?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses xmldom which is vulnerable to CVE-2026-34601 –

https://www.ibm.com/support/pages/node/7271737?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses pyasn1 which is vulnerable to CVE-2026-30922 –

https://www.ibm.com/support/pages/node/7271739?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses google.golang.org/protobuf-v1.30.0, google.golang.org/protobuf-v1.31.0 which is vulnerable to CVE-2024-24786 –

https://www.ibm.com/support/pages/node/7271746?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite uses Websphere Liberty v.25.0.0.12 which is vulnerable to CVE-2024-29371, CVE-2025-12635 and CVE-2025-14914 –

https://www.ibm.com/support/pages/node/7271747?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.9.tgz which is vulnerable to CVE-2026-31802 –

https://www.ibm.com/support/pages/node/7271752?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205 –

https://www.ibm.com/support/pages/node/7271753?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses github.com/jackc/pgproto3/v2-v2.3.3 which is vulnerable to CVE-2026-4427

https://www.ibm.com/support/pages/node/7271756?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge-1.3.2.tgz, node-forge-1.3.3.tgz which is vulnerable to CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896 –

https://www.ibm.com/support/pages/node/7271755?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.7.tgz, tar-7.5.9.tgz which is vulnerable to CVE-2026-29786 –

https://www.ibm.com/support/pages/node/7271758?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses filippo.io/edwards25519 which is vulnerable to CVE-2026-26958 –

https://www.ibm.com/support/pages/node/7271760?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses minimatch-10.1.2.tgz, minimatch-10.2.2.tgz which is vulnerable to CVE-2026-27903, CVE-2026-27904 –

https://www.ibm.com/support/pages/node/7271759?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses dompurify-3.2.4.tgz, dompurify-3.2.6.tgz which is vulnerable to CVE-2025-15599, CVE-2026-0540 –

https://www.ibm.com/support/pages/node/7271757?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses jjwt-impl-0.11.5.jar which is vulnerable to CVE-2024-31033 –

https://www.ibm.com/support/pages/node/7271761?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses axios-1.13.6.tgz which is vulnerable to CVE-2026-40175 –

https://www.ibm.com/support/pages/node/7271875?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Edge Data Collector uses axios-1.13.6.tgz which is vulnerable to CVE-2025-62718 –

https://www.ibm.com/support/pages/node/7271876?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.wh which is vulnerable to CVE-2026-34073 –

https://www.ibm.com/support/pages/node/7272292?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996 –

https://www.ibm.com/support/pages/node/7272302?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 –

https://www.ibm.com/support/pages/node/7272301?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs –

https://www.ibm.com/support/pages/node/7272303?myns=swgother&mynp=OCSSRHPA&mync=E&cm_sp=swgother-_-OCSSRHPA-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205 –

https://www.ibm.com/support/pages/node/7272304?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199 –

https://www.ibm.com/support/pages/node/7272307?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses brace-expansion-1.1.11.tgz which is vulnerable to CVE-2026-33750 –

https://www.ibm.com/support/pages/node/7272309?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses requests-2.32.5-py3-none-any.whl which is vulnerable to CVE-2026-25645 –

https://www.ibm.com/support/pages/node/7272308?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl which is vulnerable to CVE-2026-34073 –

https://www.ibm.com/support/pages/node/7272310?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses lodash-4.17.23.tgz which is vulnerable to CVE-2026-2950, CVE-2026-4800 –

https://www.ibm.com/support/pages/node/7272311?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Security bulletin: Security Bulletin: IBM Maximo Scheduler Optimizer uses axios-1.13.5.tgz which is vulnerable to CVE-2026-40175 –

https://www.ibm.com/support/pages/node/7274001?myns=swgother&mynp=OCSSJ5IPE&mync=E&cm_sp=swgother-_-OCSSJ5IPE-_-E

Still have questions or need help. Please reach out to us here.

About Darlene Nerden

Darlene Nerden is a Maximo Operations and Support Engineer. She has worked with Maximo for over 30 years primarily on the infrastructure and systems side including installs, upgrades, performance tuning, etc. She has worked on a number of teams in the product lifecycle including QA, support, services, operations, etc. Darlene has been a key part of successful implementations and upgrades. She has also been an integral part in end-user acceptance of Maximo with key performance tuning and maintenance strategizes.

Industries

Helpful Links

Industries

Helpful Links

Maximo Application Suite Security Bulletins-May 2026-2

About Darlene Nerden