CVE-2026-23516

Jan. 21, 2026, 10:15 p.m.

8.6
High

Description

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

Product(s) Impacted

Vendor Product Versions
Cvat
  • Cvat
  • 2.2.0-2.54.0, 2.55.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-83
Improper Neutralization of Script in Attributes in a Web Page
The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cvat cvat 2.2.0-2.54.0 / / / / / / /
a cvat cvat 2.55.0 / / / / / / /

References

https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70
https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp

Tags

[email protected]
CWE-83
2026-01-21
CVE-2026-23516

CVSS Score

8.6 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Jan. 21, 2026, 10:15 p.m.
Last Modified: Jan. 21, 2026, 10:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.