External risk intelligence

IBM Engineering AI Hub Cross-Site Scripting Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-15091

IBM Engineering AI Hub is a web-based application platform. Such applications are commonly deployed as web interfaces accessible to users over a network, and web-based input neutralization vulnerabilities are typically associated with web services that are exposed to user traffic.

Cross-site Scripting

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in IBM Engineering AI Hub. The issue allows attackers to run unauthorized scripts by exploiting how the system handles web page input, potentially impacting systems that process user-generated content. The primary concern is confirming the relevance and exposure of this vulnerability within your environment.

  • Flaw lets external scripts run on IBM AI Hub.
  • Protects against unauthorized script execution.
  • Assess IBM Engineering AI Hub for risk.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted web page. This would allow the attacker to inject malicious scripts into the user's browser, potentially leading to the execution of arbitrary code.

  • No authentication required.
  • User visits a malicious web page.
  • Arbitrary script execution.

Live Threat

Current exploitation, exposure, and threat context

A remote attacker could execute arbitrary scripts in IBM Engineering AI Hub when users interact with specially crafted web pages. This could potentially lead to the exposure of sensitive information or unauthorized actions within the affected system.

  • User session data could be exposed.
  • Malicious scripts could be injected.
  • System integrity could be compromised.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability in IBM Engineering AI Hub. The first practical step is to identify all instances of the affected technology, determine their reachability and business criticality, and confirm the accountable owner before planning remediation.

  • Identify affected IBM Engineering AI Hub instances.
  • Verify network exposure and business criticality.
  • Plan remediation with the accountable owner.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM Engineering AI Hub?

IBM Engineering AI Hub is a web-based application platform designed to integrate artificial intelligence capabilities into engineering workflows. It provides tools for data analysis and model management, serving as a centralized hub for teams to process engineering-related information through a browser-based interface.

What does CVE-2026-15091 mean by improper neutralization of input?

This vulnerability is classified as CWE-79, or Cross-Site Scripting. It means the application fails to properly clean or validate data provided by users before displaying it on a web page. Consequently, an attacker can supply malicious script code that the system mistakenly treats as trusted content, allowing that code to execute within a victim's browser session.

How does an attacker trigger this vulnerability?

An attacker triggers this bug by tricking a legitimate user into clicking a link or visiting a web page containing specially crafted malicious code. The vulnerability does not trigger if users only interact with trusted, internal content or if they never visit external, untrusted links while authenticated to the application.

Why does Halo Surface Signal categorize this as external?

Halo Surface Signal labels this as external because IBM Engineering AI Hub is a web-based platform. Since such applications are designed to process web traffic and are frequently deployed where they are reachable over a network, they are inherently more likely to face external input that could contain malicious scripts.

Do I need to take immediate action for this CVE?

Yes. Start by locating every instance of IBM Engineering AI Hub within your organization. Once identified, evaluate whether these instances are reachable over a network, determine their importance to your business operations, and coordinate with the system owners to track remediation efforts.

References