CVE-2026-44369

Name of the Vulnerable Software and Affected Versions CVAT versions 2.5.0 through 2.63.0

Description An attacker with permissions to create or edit an annotation guide on a task can inject malicious JavaScript code. This code executes in the browser of any user who opens the affected guide, allowing the attacker to make arbitrary requests to the system using the victim's privileges. This is a stored cross-site scripting (XSS) issue, where malicious scripts are permanently stored on the server and served to other users.

Recommendations Update to version 2.64.0.