Skip to main content

jsbroks COCO Annotator CVE-2026-7680

| EUVDEUVD-2026-26816 LOW
Path Traversal (CWE-22)
2026-05-03 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 06:30 vuln.today
Severity Changed
May 03, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
May 03, 2026 - 06:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 03, 2026 - 06:15 vuln.today
Public exploit code
EUVD ID Assigned
May 03, 2026 - 06:00 euvd
EUVD-2026-26816
Analysis Generated
May 03, 2026 - 06:00 vuln.today
CVE Published
May 03, 2026 - 04:30 nvd
LOW 2.1

DescriptionCVE.org

A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in jsbroks COCO Annotator up to version 0.11.1 allows authenticated remote attackers to access arbitrary files on the server by manipulating the folder argument in the Data Endpoint (backend/webserver/api/datasets.py). The vulnerability requires valid user credentials and an attacker can only read files with limited technical impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability exists in the backend/webserver/api/datasets.py component of COCO Annotator, specifically in the Data Endpoint handler. The affected functionality processes a folder parameter from user input without proper path sanitization or validation. This allows an attacker to use path traversal sequences (such as ../ or absolute paths) to navigate outside the intended dataset directory and access files elsewhere on the filesystem. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) classifies this common input validation weakness where user-supplied path data is not canonicalized or validated before use in file operations. The CPE identifier (cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*) indicates all versions up to and including 0.11.1 are affected.

RemediationAI

Upgrade jsbroks COCO Annotator to a version newer than 0.11.1 if available from the vendor. However, given the vendor's non-response to the original disclosure, verify that an updated version with a path traversal fix is actually available before upgrading, as the project may be unmaintained. As a compensating control if no patch is available, implement access restrictions by deploying COCO Annotator behind a web application firewall or reverse proxy configured to block path traversal patterns in the folder parameter (specifically reject requests containing ../, ..\, or encoded equivalents such as %2e%2e%2f). Additionally, run COCO Annotator with a minimally-privileged service account that has read access only to necessary dataset directories and configuration files, limiting the exposure of sensitive files even if path traversal is successfully exploited. Monitor application logs for repeated access attempts with path traversal sequences. These controls do not eliminate the vulnerability but reduce the likelihood and impact of successful exploitation.

Share

CVE-2026-7680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy