What happened
IBM disclosed a critical (CVSS 9.3) cross-site scripting vulnerability in Engineering AI Hub's web interface, alongside related session-token-in-URL exposure (CVE-2026-15322) and open-redirect (CVE-2026-15093) issues in the same product line.
Why it matters
IBM Engineering AI Hub is an internal platform for managing AI/ML assets in engineering organizations; a stored/reflected XSS reachable in its web console could be used to hijack administrator sessions managing AI model pipelines and configuration, though the blast radius is limited to organizations running this specific IBM product.
Attack vector
IBM Engineering AI Hub fails to properly neutralize input during web page generation, allowing a remote attacker to execute arbitrary scripts in the context of a victim's browser session against the AI Hub web console.
Affected systems
IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0
Mitigation
Apply IBM's fix per the security bulletin (support pages node/7279964).