Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/google-cloud-aiplatform@1.131.0

Type pypi

Namespace

Name google-cloud-aiplatform

Version 1.131.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.133.0

Latest_non_vulnerable_version 1.133.0

Affected_by_vulnerabilities

url VCID-19ux-qd88-wfgb

vulnerability_id VCID-19ux-qd88-wfgb

summary

Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

This vulnerability was patched and no customer action is needed.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-2473

reference_id

reference_type

scores

value	0.00313
scoring_system	epss
scoring_elements	0.54836
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-2473

reference_url

https://github.com/googleapis/python-aiplatform

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/googleapis/python-aiplatform

reference_url

https://github.com/googleapis/python-aiplatform/releases/tag/v1.133.0

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/googleapis/python-aiplatform/releases/tag/v1.133.0

reference_url

https://docs.cloud.google.com/support/bulletins#gcp-2026-012

reference_id

bulletins#gcp-2026-012

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-23T19:52:07Z/

url

https://docs.cloud.google.com/support/bulletins#gcp-2026-012

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-2473

reference_id

CVE-2026-2473

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-2473

reference_url

https://github.com/advisories/GHSA-wh2j-26j7-9728

reference_id

GHSA-wh2j-26j7-9728

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wh2j-26j7-9728

fixed_packages

url	pkg:pypi/google-cloud-aiplatform@1.133.0
purl	pkg:pypi/google-cloud-aiplatform@1.133.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/google-cloud-aiplatform@1.133.0

aliases CVE-2026-2473, GHSA-wh2j-26j7-9728

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-19ux-qd88-wfgb

Fixing_vulnerabilities

url VCID-svj4-n7y4-2ffq

vulnerability_id VCID-svj4-n7y4-2ffq

summary Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2472.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2472.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-2472

reference_id

reference_type

scores

value	0.00086
scoring_system	epss
scoring_elements	0.24796
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-2472

reference_url

https://github.com/googleapis/python-aiplatform

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/googleapis/python-aiplatform

reference_url

https://github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480

reference_url

https://github.com/googleapis/python-aiplatform/releases/tag/v1.131.0

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/googleapis/python-aiplatform/releases/tag/v1.131.0

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2441472
reference_id	2441472
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2441472

reference_url

https://docs.cloud.google.com/support/bulletins#gcp-2026-011

reference_id

bulletins#gcp-2026-011

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-23T19:56:14Z/

url

https://docs.cloud.google.com/support/bulletins#gcp-2026-011

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-2472

reference_id

CVE-2026-2472

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-2472

reference_url

https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud

reference_id

CVE-2026-2472-VERTEX-AI-SDK-GOOGLE-CLOUD

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud

reference_url

https://github.com/advisories/GHSA-qv8j-hgpc-vrq8

reference_id

GHSA-qv8j-hgpc-vrq8

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qv8j-hgpc-vrq8

reference_url	https://access.redhat.com/errata/RHSA-2026:10184
reference_id	RHSA-2026:10184
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10184

fixed_packages

url pkg:pypi/google-cloud-aiplatform@1.131.0

purl pkg:pypi/google-cloud-aiplatform@1.131.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19ux-qd88-wfgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/google-cloud-aiplatform@1.131.0

aliases CVE-2026-2472, GHSA-qv8j-hgpc-vrq8

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-svj4-n7y4-2ffq

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/google-cloud-aiplatform@1.131.0

Package Instance