Vulnerability Description
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.
Related Weaknesses (CWE)
References
- https://docs.cloud.google.com/support/bulletins#gcp-2026-011
- https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud
FAQ
What is CVE-2026-2472?
CVE-2026-2472 is a documented vulnerability. Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an ...
How severe is CVE-2026-2472?
CVSS scoring is not yet available for CVE-2026-2472. Check NVD for updates.
Is there a patch for CVE-2026-2472?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.