Skip to content

Commit 7b171aa

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-qv8j-hgpc-vrq8 GHSA-wh2j-26j7-9728
1 parent 583028d commit 7b171aa

File tree

2 files changed

+72
-10
lines changed

2 files changed

+72
-10
lines changed

advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json renamed to advisories/github-reviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,36 +1,69 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-qv8j-hgpc-vrq8",
4-
"modified": "2026-02-20T21:31:24Z",
4+
"modified": "2026-02-20T22:41:45Z",
55
"published": "2026-02-20T21:31:24Z",
66
"aliases": [
77
"CVE-2026-2472"
88
],
9+
"summary": "Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)",
910
"details": "Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "google-cloud-aiplatform"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.98.0"
29+
},
30+
{
31+
"fixed": "1.131.0"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2472"
2142
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-011"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/googleapis/python-aiplatform"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/googleapis/python-aiplatform/releases/tag/v1.131.0"
2558
}
2659
],
2760
"database_specific": {
2861
"cwe_ids": [
2962
"CWE-79"
3063
],
3164
"severity": "HIGH",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-02-20T22:41:44Z",
3467
"nvd_published_at": "2026-02-20T20:25:24Z"
3568
}
3669
}

advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json renamed to advisories/github-reviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-wh2j-26j7-9728",
4-
"modified": "2026-02-20T21:31:24Z",
4+
"modified": "2026-02-20T22:41:41Z",
55
"published": "2026-02-20T21:31:24Z",
66
"aliases": [
77
"CVE-2026-2473"
88
],
9+
"summary": "Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming",
910
"details": "Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).\n\nThis vulnerability was patched and no customer action is needed.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "google-cloud-aiplatform"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.21.0"
29+
},
30+
{
31+
"fixed": "1.133.0"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -22,15 +43,23 @@
2243
{
2344
"type": "WEB",
2445
"url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-012"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/googleapis/python-aiplatform"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/googleapis/python-aiplatform/releases/tag/v1.133.0"
2554
}
2655
],
2756
"database_specific": {
2857
"cwe_ids": [
2958
"CWE-340"
3059
],
3160
"severity": "HIGH",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-02-20T22:41:41Z",
3463
"nvd_published_at": "2026-02-20T20:25:24Z"
3564
}
3665
}

0 commit comments

Comments
 (0)