A critical stored/reflected XSS vulnerability in IBM Engineering AI Hub allows remote attackers to execute arbitrary scripts in users' browsers, earning a CVSS score of 9.3.
What Is It
CVE-2026-15091 is a cross-site scripting (XSS) vulnerability (CWE-79) in IBM Engineering AI Hub. The flaw stems from improper neutralization of input during web page generation, allowing a remote attacker to execute arbitrary scripts. It carries a CVSS 3.1 base score of 9.3 (CRITICAL), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, network-reachable, low attack complexity, and requiring no privileges but some user interaction.
Why It Matters
The vulnerability rates CRITICAL largely because of its changed scope (S:C): a successful attack can affect resources beyond the vulnerable component's security boundary. Both confidentiality and integrity impacts are rated HIGH, meaning attacker-injected scripts could expose sensitive data or manipulate application content. Because exploitation requires no privileges and only user interaction, an attacker needs only to lure a victim into triggering the malicious input.
What's Vulnerable
The following IBM Engineering AI Hub versions are affected:
- 1.0.0
- 1.1.0
- 1.2.0
The issue was reported by IBM's PSIRT ([email protected]).
Patch Status
IBM has published a support advisory for this vulnerability. Administrators should consult IBM's guidance at the reference below for remediation details. This CVE was published on 2026-07-17 and, at the time of this record, held a status of "Received" in the NVD. No CISA KEV entry was supplied, so there is no confirmation of active exploitation at this time.
Sources
- IBM Support; Security Bulletin (node 7279964): https://www.ibm.com/support/pages/node/7279964
- NVD, CVE-2026-15091: https://nvd.nist.gov/vuln/detail/CVE-2026-15091