Home

Description

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

PUBLISHED Reserved 2026-01-13 | Published 2026-01-21 | Updated 2026-01-21 | Assigner GitHub_M




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-83: Improper Neutralization of Script in Attributes in a Web Page

Product status

>= 2.2.0, < 2.55.0
affected

References

github.com/...i/cvat/security/advisories/GHSA-3m7p-wx65-c7mp

github.com/...ommit/40800707fe39e3ff76c8d036eb953eb12d764e70

cve.org (CVE-2026-23516)

nvd.nist.gov (CVE-2026-23516)

Download JSON