CVE-2026-11906
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX, and Windows (including Db2 Connect Server) contain a denial-of-service vulnerability. An authenticated user can exploit improper neutralization of special elements in the data query logic for XMLTable-derived columns, causing a denial of service.
Risk Assessment
The risk is that an authenticated user can disrupt database operations, potentially leading to unavailability of critical business applications relying on IBM Db2.
Recommendation
Immediately upgrade IBM Db2 to version 11.5.10 or later (for the 11.5 series) and 12.1.5 or later (for the 12.1 series). If an upgrade is not possible, restrict user permissions for executing XMLTable queries.
Original NVD description (English source)
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.

