HIGHCVE-2026-44369Published 2026-05-13Modified 2026-05-15CNA GitHub_M

CVE-2026-44369: CVAT: Stored XSS via annotation guides

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

cvat-ai / cvat
>= 2.5.0, < 2.64.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5
https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc

Metrics