CVE-2026-23516

5.4 MEDIUM
Published: January 21, 2026 Modified: February 20, 2026
View on NVD

Description

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70
Source: security-advisories@github.com
Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp
Source: security-advisories@github.com
Patch Third Party Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
10th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-83 CWE-79

Affected Vendors

cvat

Related CVEs

CVE-2026-4633 3.7
CVE-2026-4583 5.0
CVE-2026-28809 N/A
CVE-2026-4582 5.0
CVE-2026-4581 7.3