CVE-2026-23516
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cvat computer_vision_annotation_tool From 2.2.0 (inc) to 2.55.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in CVAT versions 2.2.0 through 2.54.0 allows an attacker to execute arbitrary JavaScript code within a victim user's CVAT UI session. The attacker can achieve this by creating a maliciously crafted label in a CVAT task or project and then tricking the victim user into either editing that label or viewing a shape that refers to it. Alternatively, the attacker can have the victim upload a maliciously crafted SVG image when configuring a skeleton. This results in the attacker gaining temporary access to all CVAT resources accessible to the victim user. The issue is fixed in version 2.55.0.

Impact Analysis

The vulnerability can lead to an attacker executing arbitrary JavaScript code in your CVAT user interface session, which can give them temporary access to all CVAT resources that you can access. This means sensitive data, project information, or other resources within CVAT could be exposed or manipulated by the attacker during the session.

Mitigation Strategies

Upgrade CVAT to version 2.55.0 or later, as this version fixes the vulnerability allowing arbitrary JavaScript execution. Until the upgrade, avoid opening or editing labels or shapes that could contain maliciously crafted content, and do not upload SVG images when configuring skeletons from untrusted sources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart