CVE-2026-44369
8.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| cvat-ai | cvat | >= 2.5.0, < 2.64.0 | affected |
Weaknesses
- CWE-80: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5
- https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.