IBM Engineering AI Hub Cross-site Scripting Vulnerability (CVE-2026-15091)
A critical cross-site scripting (XSS) vulnerability, identified as CVE-2026-15091 with a CVSS v3.1 score of 9.3, affects IBM Engineering AI Hub versions 1.0.0, 1.1.0, and 1.2.0, allowing a remote attacker to execute arbitrary scripts due to improper input neutralization during web page generation.
CVE-2026-15091 describes a critical cross-site scripting (XSS) vulnerability in IBM Engineering AI Hub versions 1.0.0, 1.1.0, and 1.2.0. This flaw, rated with a CVSS v3.1 base score of 9.3, stems from the application's improper neutralization of input during web page generation (CWE-79). A remote unauthenticated attacker can exploit this vulnerability by injecting malicious scripts into user-controlled input fields, which are subsequently rendered by a victim's browser when they access the affected web pages. Successful exploitation can lead to arbitrary client-side script execution, potentially enabling session hijacking, defacement, data theft, or further malicious actions within the context of the user's browser session.
Attack Chain
- Craft Malicious Payload: A remote attacker crafts a malicious script (e.g., JavaScript) designed to perform actions like stealing session cookies, redirecting users, or defacing web pages.
- Input Injection: The attacker delivers this malicious script as input to a user-controlled field within the IBM Engineering AI Hub application (e.g., through a comment, profile field, or data entry form).
- Application Processing: The IBM Engineering AI Hub application processes the input without adequately neutralizing or encoding the attacker's script.
- Web Page Generation: When a legitimate user accesses a web page within the IBM Engineering AI Hub where the malicious input is displayed, the application includes the unneutralized script in the generated HTML response.
- Client-Side Execution: The victim's web browser receives the crafted web page, interprets the embedded malicious script as legitimate content, and executes it within the security context of the IBM Engineering AI Hub domain.
- Impact on User Session: The executed script performs its intended malicious actions, such as stealing the user's session token, redirecting the user to a malicious site, or performing actions on behalf of the user within the application.
Impact
A successful exploitation of CVE-2026-15091 could lead to significant compromise of user sessions and data within the IBM Engineering AI Hub. Attackers could steal sensitive information, deface web pages, or launch further client-side attacks. Given the nature of XSS, it could also be used to pivot to other attacks such as phishing or malware delivery by manipulating the content presented to the user. The high CVSS score indicates the significant potential for impact on confidentiality, integrity, and availability of the affected system and user data.
Recommendation
- Apply the vendor-provided security updates and patches for IBM Engineering AI Hub to remediate CVE-2026-15091 immediately. Refer to the IBM Corporation support page at
https://www.ibm.com/support/pages/node/7279964for specific guidance.