CVE-2025-12755

MEDIUM

IBM MQ Operator 3.2.0-3.8.1 - Log Injection

Title source: llm

Description

IBM MQ Operator (SC2 v3.2.0–3.8.1, LTS v2.0.0–2.0.29) and IBM‑supplied MQ Advanced container images (across affected SC2, CD, and LTS 9.3.x–9.4.x releases) contain a vulnerability where log messages are not properly neutralized before being written to log files. This flaw could allow an unauthorized user to inject malicious data into MQ log entries, potentially leading to misleading logs, log manipulation, or downstream log‑processing issues.

References (1)

[Various Sources] https://www.ibm.com/support/pages/node/7260087

Scores

CVSS v3 4.0

EPSS 0.0002

EPSS Percentile 4.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-117

Status published

Products (4)

IBM/MQ Operator CD: v3.3.0 - 3.8.1

IBM/MQ Operator LTS: v2.0.0 - 2.0.29

IBM/MQ Operator SC2: v3.2.0 - 3.2.21

IBM/supplied MQ Advanced container images SC2: 9.4.0.6 - r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.1

Published Feb 17, 2026

Tracked Since Feb 18, 2026