CVE-2026-7680

Name of the Vulnerable Software and Affected Versions jsbroks COCO Annotator versions prior to 0.11.2

Description A path traversal issue exists in the Data Endpoint component within the file backend/webserver/api/datasets.py. A remote attacker can manipulate the folder argument to access files and directories outside the intended folder. Path traversal is a technique that allows an attacker to read or write files on the server by using special characters like "../" to navigate the file system.

Recommendations Update jsbroks COCO Annotator to a version newer than 0.11.1. As a temporary workaround, restrict access to the Data Endpoint or avoid using the folder argument in the affected API endpoint until a patch is applied.