Description
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5
X_Refsource_Misc x_refsource_misc
https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc
Scores
CVSS v4
8.5
EPSS
0.0005
EPSS Percentile
14.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
Status
published
Products (1)
cvat-ai/cvat
>= 2.5.0, < 2.64.0
Published
May 13, 2026
Tracked Since
May 14, 2026