CVAT: Stored XSS via annotation guides_CVE-2026-44369

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

AI Analysis

Stored XSS vulnerability via annotation guides, allowing malicious JavaScript code execution with victim user's privileges

Basic Information

ID CVE-2026-44369

Source GitHub_M

Published May 13, 2026 at 21:32

Affected Product

Vendor cvat-ai

Product cvat

Version >= 2.5.0, < 2.64.0

Affected Versions cvat-ai cvat >= 2.5.0, < 2.64.0

CWE Classification

CWE-80

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor cvat-ai

Product CVAT

Version 2.5.0-2.63.0

References

{
    "lastseen": "",
    "description": "CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.",
    "published": "2026-05-13T21:32:15.833Z",
    "modified": "2026-05-13T21:32:15.833Z",
    "type": "cve",
    "title": "CVAT: Stored XSS via annotation guides",
    "source": "GitHub_M",
    "references": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5\nhttps://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc",
    "id": "CVE-2026-44369",
    "bulletinFamily": "",
    "cwe": [
        "CWE-80"
    ],
    "cvelist": null,
    "sourceData": "cvat-ai cvat >= 2.5.0, < 2.64.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cvat",
    "version": ">= 2.5.0, < 2.64.0",
    "vendor": "cvat-ai",
    "ai_description": "Stored XSS vulnerability via annotation guides, allowing malicious JavaScript code execution with victim user's privileges",
    "ai_severity": "High",
    "ai_vendor": "cvat-ai",
    "ai_product": "CVAT",
    "ai_version": "2.5.0-2.63.0",
    "ai_score": 8.5
}