Description
Injection vulnerabilities due to validation/sanitisation of user-supplied input in ActiveMatrix BusinessWorks and Enterprise Administrator allows information disclosure, including exposure of accessible local files and host system details, and may allow manipulation of application behaviour.
Published: 2026-03-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure & Behavior Manipulation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from insufficient validation and sanitisation of user‑supplied input in TIBCO ActiveMatrix BusinessWorks and the Enterprise Administrator component. This flaw allows attackers to inject arbitrary content that the system processes, leading to disclosure of sensitive local files and host system details, and may also permit manipulation of application behaviour.

Affected Systems

Vendors affected include TIBCO, specifically the ActiveMatrix BusinessWorks and Enterprise Administrator products. No specific version details are provided in the advisory, so the risk applies to any installations of these products that have not applied an available fix.

Risk and Exploitability

With a CVSS score of 8.7, the issue is considered High severity. The EPSS score indicates a low probability of exploitation (<1%), and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is via unsanitised user input supplied through exposed interfaces, which is inferred based on the description that injection allows disclosure and manipulation.

Generated by OpenCVE AI on March 25, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or upgrade to a fixed release supplied by TIBCO as detailed in their security advisory.
  • Disable or restrict any components or features that accept unsecured user input until a patch is applied.
  • Implement additional input validation or sanitisation within the application to thwart injection attempts.
  • Review system configuration to mitigate accidental exposure of local files and ensure access controls are properly enforced.

Generated by OpenCVE AI on March 25, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Tibco
Tibco activematrix Businessworks
Tibco enterprise Administrator
Vendors & Products Tibco
Tibco activematrix Businessworks
Tibco enterprise Administrator

Tue, 24 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Injection vulnerabilities due to validation/sanitisation of user-supplied input in ActiveMatrix BusinessWorks and Enterprise Administrator allows information disclosure, including exposure of accessible local files and host system details, and may allow manipulation of application behaviour.
Title TIBCO ActiveMatrix BusinessWorks Injection Vulnerability
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Tibco Activematrix Businessworks Enterprise Administrator
cve-icon MITRE

Status: PUBLISHED

Assigner: tibco

Published:

Updated: 2026-03-25T13:33:23.189Z

Reserved: 2026-03-11T04:50:22.400Z

Link: CVE-2026-3912

cve-icon Vulnrichment

Updated: 2026-03-25T13:33:13.388Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T21:16:29.440

Modified: 2026-03-25T15:41:58.280

Link: CVE-2026-3912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:57:15Z

Weaknesses