Description
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Published: 2026-06-30
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM watsonx.data intelligence 5.2.0 to 5.3.0 contains an improper input validation flaw that allows an authenticated user to inject arbitrary JavaScript into the web interface. The injected code runs with the privileges of the logged‑in user, enabling an attacker to capture session data or perform other malicious actions, which can lead to credential disclosure or other unauthorized activities.

Affected Systems

The affected product is IBM watsonx.data intelligence. Versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 are impacted. IBM has released a fix in the 5.2.0 – 5.3.05.3.1 release and later.

Risk and Exploitability

The CVSS score of 5.4 places this flaw in the medium severity range. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating limited evidence of exploitation in the wild. Attackers must first authenticate to the Watsonx data intelligence web UI, so the attack vector is limited to authorized users. Overall, the risk is moderate, but the potential to expose user credentials or session tokens warrants prompt remediation.

Generated by OpenCVE AI on June 30, 2026 at 23:33 UTC.

Remediation

Vendor Solution

Affected productFixed in releaseInstructionsIBM watsonx.data intelligence 5.2.0 - 5.3.05.3.1 https://www.ibm.com/docs/en/watsonx/wdi/2.3.x?topic=new-watsonxdata-intelligence IBM strongly advises upgrading as soon as possible


OpenCVE Recommended Actions

  • Upgrade IBM watsonx.data intelligence to the 5.2.0 – 5.3.05.3.1 release or newer that contains the XSS fix, following IBM’s release instructions.
  • Restrict Web UI access to only necessary roles and apply the principle of least privilege to limit the impact of any future XSS attempts.
  • Implement a content‑security‑policy header on the web interface to mitigate the effect of any residual XSS vectors while a patch is pending.

Generated by OpenCVE AI on June 30, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title Vulnerabilities found in Watson Data Intelligence
First Time appeared Ibm
Ibm watsonxdata Intelligence
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:watsonxdata_intelligence:5.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm watsonxdata Intelligence
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Subscriptions

Ibm Watsonxdata Intelligence
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T20:19:08.912Z

Reserved: 2025-04-15T21:16:51.462Z

Link: CVE-2025-36323

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')