CVE-2026-7680

MEDIUM

jsbroks COCO Annotator Data Endpoint datasets.py path traversal

Title source: cna

Description

A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360833 | jsbroks COCO Annotator Data Endpoint datasets.py path traversal

https://vuldb.com/vuln/360833

Signature, Permissions Required signature permissions-required

VDB-360833 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/360833/cti

Third Party Advisory third-party-advisory

Submit #801150 | jsbroks COCO Annotator 0.11.1 Absolute Path Traversal

https://vuldb.com/submit/801150

Exploit broken-link exploit

https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20Parameter

View Exploit ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

jsbroks/COCO Annotator 0.11.0

jsbroks/COCO Annotator 0.11.1

Published May 03, 2026

Tracked Since May 03, 2026