Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal in jsbroks COCO Annotator up to version 0.11.1 allows authenticated remote attackers to access arbitrary files on the server by manipulating the folder argument in the Data Endpoint (backend/webserver/api/datasets.py). The vulnerability requires valid user credentials and an attacker can only read files with limited technical impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability exists in the backend/webserver/api/datasets.py component of COCO Annotator, specifically in the Data Endpoint handler. The affected functionality processes a folder parameter from user input without proper path sanitization or validation. This allows an attacker to use path traversal sequences (such as ../ or absolute paths) to navigate outside the intended dataset directory and access files elsewhere on the filesystem. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) classifies this common input validation weakness where user-supplied path data is not canonicalized or validated before use in file operations. The CPE identifier (cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*) indicates all versions up to and including 0.11.1 are affected.
RemediationAI
Upgrade jsbroks COCO Annotator to a version newer than 0.11.1 if available from the vendor. However, given the vendor's non-response to the original disclosure, verify that an updated version with a path traversal fix is actually available before upgrading, as the project may be unmaintained. As a compensating control if no patch is available, implement access restrictions by deploying COCO Annotator behind a web application firewall or reverse proxy configured to block path traversal patterns in the folder parameter (specifically reject requests containing ../, ..\, or encoded equivalents such as %2e%2e%2f). Additionally, run COCO Annotator with a minimally-privileged service account that has read access only to necessary dataset directories and configuration files, limiting the exposure of sensitive files even if path traversal is successfully exploited. Monitor application logs for repeated access attempts with path traversal sequences. These controls do not eliminate the vulnerability but reduce the likelihood and impact of successful exploitation.
More in Coco Annotator
View allA vulnerability, which was classified as problematic, was found in jsbroks COCO Annotator 0.11.1. Rated medium severity
Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify da
Coco Annotator versions up to 0.11.1. is affected by improper resource shutdown or release (CVSS 5.3).
Coco Annotator through version 0.11.1 contains an authorization bypass in the Delete Category Handler endpoint (/api/und
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26816