Share
## https://sploitus.com/exploit?id=8933C2AF-A28F-5828-BC18-E70F2EA65F07
# Unauthenticated Stored Cross-Site Scripting (XSS) in _genai/_evals_visualization.py of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 - (github.com/googleapis/python-aiplatform)

- **Author: Joshua Provoste (N-day Researcher & Dev)**
- **Credits: Din Asotić (Zero-day Finder & Reporter)**

## About `google-cloud-aiplatform`

`google-cloud-aiplatform` is Google Cloud's official Python SDK for working with **Vertex AI**. It provides high-level abstractions to create, train, deploy, and use ML models (including AutoML and custom models), and to manage datasets, endpoints, pipelines, and predictions.

* https://pypi.org/project/google-cloud-aiplatform/
* https://github.com/googleapis/python-aiplatform

## Resume

`GCP-2026-011` (published and updated on 2026-02-20) documents `CVE-2026-2472`, a stored `XSS` vulnerability in the `_genai/_evals_visualization.py` component of the **Google Cloud Vertex AI Python SDK** (`google-cloud-aiplatform`) affecting versions `1.98.0` up to but not including `1.131.0`, where an **unauthenticated attacker can inject script escape sequences into model evaluation results or dataset JSON and achieve arbitrary JavaScript execution in a victim's Jupyter/Colab environment**; Google indicates the issue is fixed by upgrading to version `1.131.0` or later (with `1.131.0` released on 2025-12-16).

# About the XSS Vulnerability in `vertexai/_genai/_evals_visualization.py`

## Summary

The file is vulnerable to **stored XSS** because it **embeds attacker-controllable JSON directly into an inline `` block** without performing **HTML script-context escaping**. This allows a malicious value containing a script-closing sequence (e.g., ``) to **break out of the intended JavaScript data assignment** and inject executable JavaScript into the rendered Jupyter/Colab HTML.

## Why it is vulnerable (root cause)

The core issue is the pattern:

- `_get_evaluation_html(...)` injects raw JSON into:
  - `const data = {eval_result_json};` **(line 101)**
- `_get_comparison_html(...)` injects raw JSON into:
  - `const data = {eval_result_json};` **(line 180)**
- `_get_inference_html(...)` injects raw JSON into:
  - `const data = JSON.parse({dataframe_json});` **(line 252)**

Even when the input is serialized with `json.dumps(...)`, that only makes it valid **JSON**—it does **not** make it safe for embedding inside an HTML `` context. If any field in the JSON contains ``, the browser's HTML parser can terminate the current script tag and parse the rest as attacker-controlled HTML/JS.

### Primary vulnerable sinks (inline script JSON embedding)

- **Line 101** - `const data = {eval_result_json};`
- **Line 180** - `const data = {eval_result_json};`
- **Line 252** - `const data = JSON.parse({dataframe_json});`

### The XSS payload

```
{
  "prompt": "alert('XSS');",
  "rows": []
}
```

## Local PoC of `CVE-2026-2472`

1. Install the specific vulnerable version of `google-cloud-aiplatform` and `pandas`

```
pip install google-cloud-aiplatform==1.98.0
pip install pandas
```

2. Execute `CVE-2026-2472.py` to generate the local PoC

```
(.venv) L:\>python CVE-2026-2472.py
[+] xss_proof_local.html
```

![](XSS-CVE-2026-2472.png)