CVE-2026-23516

UNKNOWN 0.0

CVAT vulnerable to XSS via skeleton SVG images

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

CWE	CWE-83
Vendor	cvat-ai
Product	cvat
Published	Jan 21, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for cvat-ai cvat

Be the first to know when new unknown vulnerabilities affecting cvat-ai cvat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

cvat-ai / cvat

>= 2.2.0, < 2.55.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp github.com: https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70