The Xerces library which has shipped with CMOD since version v8.5 has announced a vulnerability that could result in a denial of service, or remote code execution.
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0729
IBM Security Bulletin: https://www-01.ibm.com/support/docview.wss?uid=swg21985363
Fix Central links: CMOD v9.0.0.7 (http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Manager+OnDemand+for+Multiplatforms&release=9.0.0.*&platform=All&function=all&source=fc) CMOD v9.5.0.6 (http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Manager+OnDemand+for+Multiplatforms&release=9.5.0.6&platform=All&function=all&source=fc)