XSS in Humansignal Label-studio

CVE-2026-22033

Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (o…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (2.7th percentile) — read the EPSS interpretation.

Affected products

Humansignal Label-studio — versions <= 1.22.0

Weakness classification (CWE)

References

https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch (x_refsource_CONFIRM)
https://github.com/HumanSignal/label-studio/pull/9084 (x_refsource_MISC)
https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505 (x_refsource_MISC)