Reference material — not professional advice. Test in staging, back up first, verify against your specific version. Use your own judgment for your environment.
● Medium · CVSS 5.5

How to Fix CVE-2026-4918: Guardium Data Protection (Bundle Sibling)

By Sai Kiran Pandrala

Last verified: 2026-05-25

CVE-2026-4918 is a sibling vulnerability in the same vendor advisory as CVE-2026-4917. Applying the patched build named in the primary write-up closes this CVE as well.

⚡ At a glance
SeverityCVSS 5.5 - Medium
Actively exploited?Not currently in CISA KEV
AffectedSame as the bundle - see CVE-2026-4917
Fixed inSame patched build as CVE-2026-4917 (See vendor advisory)
Type (CWE)CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

What's different about CVE-2026-4918?

IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.

How to fix CVE-2026-4918

Apply the patched build per the primary write-up: How to Fix CVE-2026-4917.

The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.

Frequently asked questions

Is CVE-2026-4918 fixed by the same patch as CVE-2026-4917?

Yes. CVE-2026-4918 ships in the same vendor advisory as CVE-2026-4917. Applying the patched build named in the primary write-up closes both.

What is the CVSS score for CVE-2026-4918?

The CVSS base score is 5.5 (Medium).

Is it being exploited?

It is not currently listed in CISA KEV.

References

*Part of the Guardium Data Protection bundle. Full procedure at CVE-2026-4917.*