Tibco, the software vendor of JasperSoft, has advised that a vulnerability has been discovered in the JasperSoft Library (CWE-502/CVE-2026-6009) that could lead to Remote Code Execution (RCE).

This vulnerability allows an attacker to execute arbitrary code remotely on affected systems by supplying malicious data.

JasperSoft Server 9.x

JasperSoft Studio 9.0.3

All Supported Windows Operating Systems

Broadcom Engineering has completed an initial assessment of the vulnerability.

While the vulnerability is classified as critical, we have determined that Service Management's use of Tibco Jaspersoft is not exploitable

Therefore, we consider Service Management's use of JasperSoft 9.x to not be impacted.

We are currently working on certifying and publishing the latest hotfixes for JasperSoft 9.x and JasperStudio 9.0.3 that have been provided by Tibco.

As of May 25th, 2026, the tentative plan is to complete the certification process and release the hotfixes the first week of June 2026 (subject to change).