CVE-2026-44369 | THREATINT

Description

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-13 | Updated 2026-05-15 | Assigner GitHub_M

HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

>= 2.5.0, < 2.64.0

affected

References

github.com/...i/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5

github.com/...ommit/ad9e90003d8234ac7602598b109dc11450321dfc

cve.org (CVE-2026-44369)

nvd.nist.gov (CVE-2026-44369)

Download JSON