CVE-2026-22033

Name of the Vulnerable Software and Affected Versions Label Studio versions prior to 1.22.0

Description Label Studio is a multi-type data labeling and annotation tool. A persistent stored cross-site scripting (XSS) issue exists in the custom hotkeys functionality. An authenticated attacker, or someone who can manipulate a user/administrator into updating their custom hotkeys, can inject JavaScript code. This code executes in other users’ browsers when they load pages using the templates/base.html template. The application exposes an API endpoint ''/api/current-user/token'' to the browser and has insufficient CSRF protection on some API endpoints, allowing the injected script to potentially obtain a victim’s API token or trigger token reset actions, leading to full account takeover and unauthorized API access. The variable custom hotkeys is involved in this issue.

Recommendations Update to a version later than 1.22.0.