Vulnerability  ·  2026-07-19

IBM Engineering AI Hub Cross-Site Scripting via Improper Web Page Input Neutralization

VulnerabilityHigh impactGlobalCVE-2026-15091
IBM disclosed a critical (CVSS 9.3) cross-site scripting vulnerability in Engineering AI Hub's web interface, alongside related session-token-in-URL exposure (CVE-2026-15322) and open-redirect (CVE-2026-15093) issues in the same product line.
IBM Engineering AI Hub is an internal platform for managing AI/ML assets in engineering organizations; a stored/reflected XSS reachable in its web console could be used to hijack administrator sessions managing AI model pipelines and configuration, though the blast radius is limited to organizations running this specific IBM product.
IBM Engineering AI Hub fails to properly neutralize input during web page generation, allowing a remote attacker to execute arbitrary scripts in the context of a victim's browser session against the AI Hub web console.
IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0
Apply IBM's fix per the security bulletin (support pages node/7279964).
IBM Security Bulletin — Engineering AI Hub XSS
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →