CVE-2026-23516
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-01-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cvat computer_vision_annotation_tool From 2.2.0 (inc) to 2.55.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in CVAT versions 2.2.0 through 2.54.0 allows an attacker to execute arbitrary JavaScript code within a victim user's CVAT UI session. The attacker can achieve this by creating a maliciously crafted label in a CVAT task or project and then tricking the victim user into either editing that label or viewing a shape that refers to it. Alternatively, the attacker can have the victim upload a maliciously crafted SVG image when configuring a skeleton. This results in the attacker gaining temporary access to all CVAT resources accessible to the victim user. The issue is fixed in version 2.55.0.


How can this vulnerability impact me? :

The vulnerability can lead to an attacker executing arbitrary JavaScript code in your CVAT user interface session, which can give them temporary access to all CVAT resources that you can access. This means sensitive data, project information, or other resources within CVAT could be exposed or manipulated by the attacker during the session.


What immediate steps should I take to mitigate this vulnerability?

Upgrade CVAT to version 2.55.0 or later, as this version fixes the vulnerability allowing arbitrary JavaScript execution. Until the upgrade, avoid opening or editing labels or shapes that could contain maliciously crafted content, and do not upload SVG images when configuring skeletons from untrusted sources.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart