CVE

CVE-2026-2472

Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)

CVE

CVE-2026-2472

Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)

Stored Cross-Site Scripting (XSS) in the genai/evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.6

4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-2472, https://github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480, https://docs.cloud.google.com/support/bulletins#gcp-2026-011, https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud, https://github.com/googleapis/python-aiplatform, https://github.com/googleapis/python-aiplatform/releases/tag/v1.131.0

Severity

0

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00086%

EPSS Percentile

0.24555%

Introduced Version

1.98.0

Fix Available

1.131.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-2472

CVE-2026-2472

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

0

Basic Information

Fix Critical Vulnerabilities Instantly