CVE-2026-23516

CVSS v4.0

8.6

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions CVAT versions 2.2.0 through 2.54.0

Description CVAT is an interactive video and image annotation tool for computer vision. An attacker can execute arbitrary JavaScript in a victim user's CVAT UI session. This is possible by creating a maliciously crafted label in a CVAT task or project, and then getting the victim user to either edit that label or view a shape referencing that label. Alternatively, the attacker can get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. Successful exploitation grants the attacker temporary access to all CVAT resources accessible to the victim user.

Recommendations Update to version 2.55.0 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-83

Related Identifiers

CVE-2026-23516

GHSA-3M7P-WX65-C7MP

Affected Products

Cvat

CVE-2026-23516

Weakness Enumeration

Related Identifiers

Affected Products

References · 7