CVE-2026-23516

Name of the Vulnerable Software and Affected Versions CVAT versions 2.2.0 through 2.54.0

Description CVAT is an interactive video and image annotation tool for computer vision. An attacker can execute arbitrary JavaScript in a victim user's CVAT UI session. This is possible by creating a maliciously crafted label in a CVAT task or project, and then getting the victim user to either edit that label or view a shape referencing that label. Alternatively, the attacker can get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. Successful exploitation grants the attacker temporary access to all CVAT resources accessible to the victim user.

Recommendations Update to version 2.55.0 or later.