IBM WebSphere Application Server Liberty is affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063)

Authors: Created by IBM

There is a vulnerability in the immutable library which affects IBM WebSphere Application Server Liberty with the openapi-3.0, openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, mpOpenAPI-3.0 mpOpenAPI-3.1, mpOpenAPI-4.0 or mpOpenAPI-4.1 feature enabled. CVEID: CVE-2026-29063 ^[1]
DESCRIPTION: Immutable.js provides many Persistent Immutable data structures.Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.This issue has been patched...

Just published by IBM: Read more