CVE-2026-2472

HIGH

Google Cloud Vertex AI SDK 1.98.0-1.131.0 - XSS

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-2472. PoCs published by XiaomingX, XZ1r0, megafart1.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2026-2472, demonstrating a stored XSS vulnerability in Google Cloud Vertex AI SDK's _evals_visualization.py. The exploit injects a malicious script payload into JSON data, which is then embedded into an HTML script context without proper escaping.

Description

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Exploits (4)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2472

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2026-2472, demonstrating a stored XSS vulnerability in Google Cloud Vertex AI SDK's _evals_visualization.py. The exploit injects a malicious script payload into JSON data, which is then embedded into an HTML script context without proper escaping.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions 1.98.0 to 1.130.0

No auth needed

Prerequisites: Vulnerable version of google-cloud-aiplatform installed · Ability to inject malicious JSON into evaluation results

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Mar 02, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/web/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-2472, demonstrating a stored XSS vulnerability in the Google Cloud Vertex AI SDK's _evals_visualization.py component. The exploit leverages improper HTML script-context escaping to inject arbitrary JavaScript into rendered Jupyter/Colab environments.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: google-cloud-aiplatform (versions 1.98.0 to 1.130.0)

No auth needed

Prerequisites: vulnerable version of google-cloud-aiplatform · pandas

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec WORKING POC

by megafart1 · poc

https://github.com/megafart1/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2026-2472, demonstrating an XSS vulnerability in the Vertex AI Python SDK from Google Cloud Platform. The exploit leverages the `_get_evaluation_html` function to inject malicious scripts into Jupyter or Colab notebook sessions.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Vertex AI Python SDK (Google Cloud Platform)

No auth needed

Prerequisites: Python 3.8 or newer · Vertex AI Python SDK installed

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Mar 11, 2026 Full analysis →

nomisec WORKING POC

by JoshuaProvoste · poc

https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-2472, demonstrating a stored XSS vulnerability in Google Cloud Vertex AI SDK's _evals_visualization.py. The exploit injects a malicious script payload into JSON data, which is then embedded into an HTML script context without proper escaping, leading to arbitrary JavaScript execution.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions 1.98.0 to 1.130.0

No auth needed

Prerequisites: Installation of vulnerable google-cloud-aiplatform version (e.g., 1.98.0) · Python environment with pandas

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 28, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://docs.cloud.google.com/support/bulletins#gcp-2026-011

Exploit, Third Party Advisory

https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud

Scores

CVSS v4 8.6

EPSS 0.0009

EPSS Percentile 25.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

Google Cloud/Vertex AI SDK for Python 1.98.0 - 1.131.0

pypi/google-cloud-aiplatform 1.98.0 - 1.131.0PyPI

Published Feb 20, 2026

Tracked Since Feb 21, 2026