High severityNVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026
CVE-2026-2472
CVE-2026-2472
Description
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
google-cloud-aiplatformPyPI | >= 1.98.0, < 1.131.0 | 1.131.0 |
Affected products
1Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-qv8j-hgpc-vrq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2472ghsaADVISORY
- docs.cloud.google.com/support/bulletinsnvdWEB
- github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480ghsaWEB
- github.com/googleapis/python-aiplatform/releases/tag/v1.131.0ghsaWEB
News mentions
0No linked articles in our index yet.