CVE-2026-7680
Path Traversal in COCO Annotator
Publication date: 2026-05-03
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsbroks | coco_annotator | to 0.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in jsbroks COCO Annotator up to version 0.11.1, specifically in an unknown function within the file backend/webserver/api/datasets.py in the Data Endpoint component.
It involves manipulation of the argument 'folder' which can lead to a path traversal attack. This means an attacker can craft input to access files and directories outside the intended folder structure.
The attack can be launched remotely, and the exploit code has been made publicly available.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access files and directories on the server that should be restricted, potentially exposing sensitive information.
Since the attack can be performed remotely, it increases the risk of unauthorized data access without physical or local network access.
The impact is limited to information disclosure as the vulnerability does not affect integrity or availability according to the CVSS scores.