Skip to main content

AI / ML CVE-2026-23516

MEDIUM
Improper Neutralization of Script in Attributes in a Web Page (CWE-83)
2026-01-21 security-advisories@github.com
RCE AI / ML Computer Vision Annotation Tool
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 20, 2026 - 20:08 nvd
Patch available
CVE Published
Jan 21, 2026 - 22:15 nvd
MEDIUM 5.4

DescriptionNVD

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

AnalysisAI

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 30 days: Identify affected systems running versions 2.2.0 and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-23516 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy