XSS in Cvat-ai Cvat

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then…

EPSS: 0.001 (16.7th percentile) — read the EPSS interpretation.

Affected products

Cvat-ai Cvat — versions >= 2.5.0, < 2.64.0

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)