CVE-2026-4919
Cross-Site Scripting in IBM Guardium 12.1 Enables Credential Theft
Publication date: 2026-04-23
Last updated on: 2026-04-27
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | guardium_data_protection | 12.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting (XSS). This means that an administrative user can insert arbitrary JavaScript code into the Web UI. This injected code can alter the intended functionality of the application.
How can this vulnerability impact me? :
The vulnerability can potentially lead to the disclosure of credentials within a trusted session. Because the injected JavaScript runs in the context of the Web UI, it can manipulate the interface or steal sensitive information, compromising the security of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in IBM Guardium Data Protection 12.1 allows an administrative user to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure within a trusted session.
Such a vulnerability could impact compliance with standards and regulations like GDPR and HIPAA because unauthorized disclosure of credentials may lead to unauthorized access to sensitive personal or health data, violating data protection requirements.