GCP-2026-011 — Published: 2026-02-20Description Description Severity Notes A stored Cross-site Scripting (XSS) vulnerability in…

Published: 2026-02-20Description Description Severity Notes A stored Cross-site Scripting (XSS) vulnerability in _genai/_evals_visualization was identified in Google google-cloud-aiplatform (Vertex AI Python SDK Visualization) on Exclusively-Hosted-Service. What should I do? Customers will need to update their google-cloud-aiplatform Python SDK to version 1.131.0 (released on 2025-12-16) or later to receive the fix. CVE-2026-2472 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment using injecting script escape sequences into model evaluation results or dataset JSON data. This vulnerability was identified in Google google-cloud-aiplatform (Vertex AI Python SDK) prior to 1.131.0. High CVE-2026-2472