CVE-2026-44369

Published: Mag 14, 2026 Last Modified: Mag 14, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: passive

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: Web Based, Web Server

Likelihood of Exploit: High

View CWE Details

https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602…

https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc

https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2…

https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5

CVE-2026-44369

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Common Consequences

Applicable Platforms

Iscriviti alla newsletter