CVE-2025-36139 is a stored cross-site scripting (XSS) vulnerability identified in IBM watsonx.data version 2.2, part of the IBM Lakehouse platform. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing a privileged user to embed arbitrary JavaScript code into the web user interface. Because the vulnerability is stored XSS, the malicious script persists on the server and executes whenever a victim accesses the affected page. The attack vector requires network access and privileges (PR:H), but no user interaction is needed once the malicious script is stored. The vulnerability impacts confidentiality and integrity by potentially enabling credential disclosure within a trusted session and altering intended functionality of the web application. The CVSS 3.1 base score is 5.5 (medium severity), reflecting that the attack can be launched remotely with low complexity but requires privileged user access. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability is significant because IBM watsonx.data is used for data lakehouse management, often containing sensitive enterprise data, and the web UI is a critical interface for administrators and users. Exploitation could lead to session hijacking, credential theft, or unauthorized actions within the trusted environment.

For European organizations using IBM watsonx.data 2.2, this vulnerability poses a risk to the confidentiality and integrity of sensitive data managed within the platform. Since the vulnerability allows a privileged user to inject malicious scripts, insider threats or compromised privileged accounts could lead to credential theft or session hijacking, potentially escalating further attacks or data exfiltration. The alteration of web UI functionality could disrupt normal operations or mislead users into performing unintended actions. Given the critical role of data lakehouse platforms in analytics and data governance, exploitation could impact compliance with GDPR and other data protection regulations by exposing personal or sensitive data. Additionally, the persistence of the malicious script increases the risk of prolonged exposure until the vulnerability is remediated. The medium severity score suggests moderate urgency, but the requirement for privileged access limits the attack surface to trusted users or attackers who have already gained elevated access.

European organizations should implement the following specific mitigations: 1) Restrict and monitor privileged user access rigorously, employing the principle of least privilege and strong authentication methods such as multi-factor authentication (MFA). 2) Conduct thorough input validation and sanitization on all user inputs, especially those that can be rendered in the web UI, to prevent injection of malicious scripts. 3) Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious script payloads targeting the IBM watsonx.data interface. 4) Monitor logs and user activities for unusual behavior indicative of attempted or successful exploitation, focusing on privileged accounts. 5) Apply security patches promptly once IBM releases them; meanwhile, consider temporary workarounds such as disabling or limiting access to vulnerable UI components if feasible. 6) Educate privileged users about the risks of XSS and safe usage practices. 7) Regularly review and update security policies related to web application security and privileged access management. These targeted actions go beyond generic advice by focusing on the specific threat vector and the privileged nature of the vulnerability.