CVE-2026-23516

High CVSS: 8.6

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

Vendor

Cvat

Product

Computer Vision Annotation Tool

CWE

CWE-83

Yayın Tarihi

2026-01-21 22:15:49

Güncelleme

2026-02-20 20:08:06

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-83 Computer Vision Annotation Tool HIGH Cvat 2026

Referanslar

https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp

Benzer Kayıtlar

High

CVE-2026-23526

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0…

Medium

CVE-2025-68430

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0…

Medium

CVE-2025-54573

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0…

Medium

CVE-2025-49135

CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 ha…

Medium

CVE-2025-48381

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In version…

High

CVE-2025-23045

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacke…