CVE-2026-3603 is an XML External Entity (XXE) injection vulnerability in IBM Engineering Lifecycle Management versions 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 including Interim Fix 001. The vulnerability arises from improper restriction of XML external entity references during XML data processing. An attacker with authentication privileges could leverage this flaw to disclose sensitive information or consume system memory resources, potentially impacting confidentiality and availability. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L), reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, high confidentiality impact, no integrity impact, and low availability impact. No official fix or patch has been documented at this time.

Successful exploitation can lead to exposure of sensitive information and partial denial of service through memory resource consumption. The vulnerability requires the attacker to be authenticated, limiting the attack surface. The confidentiality impact is high, while integrity is unaffected and availability impact is low. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor IBM's security advisories for updates. Until a patch is available, restrict access to the affected versions to trusted users only and consider additional XML input validation or filtering where feasible.