IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an XML external entity injection flaw that allows an attacker to read data that the server has access to. The flaw is a classic XXE vulnerability (CWE-611) and can expose confidential configuration files, credentials, or other sensitive data stored on the system. The vulnerability can be triggered by submitting maliciously crafted XML to any endpoint that parses XML input without proper validation.

The affected products are IBM InfoSphere Information Server. Users of version 11.7.0.0 up to and including 11.7.1.6 are impacted. In particular, IBM provides remediation steps for all releases within this range, recommending upgrades to 11.7.1.0, 11.7.1.5, or 11.7.1.6, or the application of the general security patch via IBM Fix Central.

The CVSS base score is 7.1, indicating high severity, while the EPSS score is very low (<1%) but non‑zero, suggesting that attacks may not be widespread yet but are possible. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending crafted XML documents to the InfoSphere server; no local privilege escalation is required, and an attacker with network access to the server or a user able to submit XML data can obtain confidential information. The risk is significant for systems that process untrusted XML input and may host sensitive data.