CVE-2026-15091

IBM · Engineering AI Hub

IBM Engineering AI Hub versions 1.0.0 through 1.2.0 are vulnerable to stored cross-site scripting due to improper input sanitization, allowing remote attackers to execute arbitrary scripts.

Executive summary

A critical cross-site scripting vulnerability in IBM Engineering AI Hub permits unauthenticated remote attackers to execute arbitrary scripts within the context of a user session.

Vulnerability

This is a cross-site scripting (CWE-79) vulnerability occurring due to improper neutralization of input during web page generation. The attack vector is network-based and does not require prior authentication or elevated privileges.

Business impact

The exploitation of this vulnerability can lead to session hijacking, unauthorized actions performed on behalf of legitimate users, and potential data theft. Given the CVSS score of 9.3, this flaw poses a severe risk to the integrity and confidentiality of the engineering environment, potentially allowing an attacker to manipulate sensitive project data or gain a foothold in the internal network.

Remediation

Immediate Action: Upgrade IBM Engineering AI Hub to version 1.3.0 immediately as specified in the vendor security advisory.

Proactive Monitoring: Monitor web application logs for suspicious script injections or unusual URL parameters that deviate from standard application behavior.

Compensating Controls: Deploy a Web Application Firewall with strict input validation rules to filter out malicious scripts before they reach the application.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The high CVSS score reflects the critical nature of this vulnerability, as it allows remote code execution in a client context without authentication. Administrators must prioritize the upgrade to version 1.3.0 to eliminate the risk of script injection and potential system compromise.