CVE-2025-47783

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.18.0

Description: A vulnerability in Label Studio allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The issue is reproducible when sending a properly formatted request to the "POST /projects/upload-example/" endpoint. The vulnerability is located at label studio/projects/views.py and is related to the label config parameter.

Recommendations: For versions prior to 1.18.0, update to version 1.18.0, which contains a patch for the issue. As a temporary workaround, consider restricting access to the POST /projects/upload-example/ endpoint and avoiding the use of the label config parameter until the update is applied.