Skip to main content

Cvat

2 CVEs product

Monthly

CVE-2026-58373 MEDIUM PATCH This Month

Cross-organization report enumeration in CVAT before 2.69.0 exposes the existence of quality reports belonging to other organizations to any authenticated user. The vulnerability stems from a missing authorization gate in QualityReportViewSet.get_queryset, where the parent_id query parameter is processed without invoking check_object_permissions, allowing cross-tenant enumeration via differential HTTP response analysis. No public exploit or CISA KEV listing exists, but the attack is trivially automatable by any authenticated user in a multi-organization CVAT deployment.

Authentication Bypass Cvat
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-44369 HIGH PATCH This Week

Stored cross-site scripting in CVAT (Computer Vision Annotation Tool) versions 2.5.0 through 2.63.0 allows an authenticated user with annotation-guide create/edit privileges to inject malicious JavaScript into a task's annotation guide, which executes in any victim's browser that opens it. Executed script runs with the victim's CVAT session privileges, enabling arbitrary API requests on their behalf. No public exploit identified at time of analysis; EPSS is low (0.05%) and SSVC reports no observed exploitation.

XSS Cvat
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-organization report enumeration in CVAT before 2.69.0 exposes the existence of quality reports belonging to other organizations to any authenticated user. The vulnerability stems from a missing authorization gate in QualityReportViewSet.get_queryset, where the parent_id query parameter is processed without invoking check_object_permissions, allowing cross-tenant enumeration via differential HTTP response analysis. No public exploit or CISA KEV listing exists, but the attack is trivially automatable by any authenticated user in a multi-organization CVAT deployment.

Authentication Bypass Cvat
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in CVAT (Computer Vision Annotation Tool) versions 2.5.0 through 2.63.0 allows an authenticated user with annotation-guide create/edit privileges to inject malicious JavaScript into a task's annotation guide, which executes in any victim's browser that opens it. Executed script runs with the victim's CVAT session privileges, enabling arbitrary API requests on their behalf. No public exploit identified at time of analysis; EPSS is low (0.05%) and SSVC reports no observed exploitation.

XSS Cvat
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy