SYS::ONLINE
Wasteland.
Briefs1238
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-15091 2026-07-17

CVE-2026-15091: Critical Cross-Site Scripting Flaw in IBM Engineering AI Hub

"A critical stored/reflected XSS vulnerability in IBM Engineering AI Hub allows remote attackers to execute arbitrary scripts in users' browsers, earning a CVSS score of 9.3."

A critical stored/reflected XSS vulnerability in IBM Engineering AI Hub allows remote attackers to execute arbitrary scripts in users' browsers, earning a CVSS score of 9.3.

What Is It

CVE-2026-15091 is a cross-site scripting (XSS) vulnerability (CWE-79) in IBM Engineering AI Hub. The flaw stems from improper neutralization of input during web page generation, allowing a remote attacker to execute arbitrary scripts. It carries a CVSS 3.1 base score of 9.3 (CRITICAL), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, network-reachable, low attack complexity, and requiring no privileges but some user interaction.

Why It Matters

The vulnerability rates CRITICAL largely because of its changed scope (S:C): a successful attack can affect resources beyond the vulnerable component's security boundary. Both confidentiality and integrity impacts are rated HIGH, meaning attacker-injected scripts could expose sensitive data or manipulate application content. Because exploitation requires no privileges and only user interaction, an attacker needs only to lure a victim into triggering the malicious input.

What's Vulnerable

The following IBM Engineering AI Hub versions are affected:

The issue was reported by IBM's PSIRT ([email protected]).

Patch Status

IBM has published a support advisory for this vulnerability. Administrators should consult IBM's guidance at the reference below for remediation details. This CVE was published on 2026-07-17 and, at the time of this record, held a status of "Received" in the NVD. No CISA KEV entry was supplied, so there is no confirmation of active exploitation at this time.

Sources