XSS in Cvat-ai Cvat

CVE-2026-23516

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able t…

EPSS: 0.001 (16.7th percentile) — read the EPSS interpretation.

Affected products

Cvat-ai Cvat — versions >= 2.2.0, < 2.55.0

Weakness classification (CWE)

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp (x_refsource_CONFIRM)
https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 (x_refsource_MISC)