CVE-2026-44369— CVAT: Stored XSS via annotation guides
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44369
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CVAT: Stored XSS via annotation guides
Source: NVD (National Vulnerability Database)
Vulnerability Description
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
CVAT.ai CVAT 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CVAT.ai CVAT是CVAT.ai开源的一个数据处理工具。 CVAT.ai CVAT 2.5.0版本至2.63.0版本存在安全漏洞,该漏洞源于能够在任务上创建或编辑注释指南的攻击者可添加恶意JavaScript代码,导致在打开注释指南的浏览器中执行,并以受害者用户权限向CVAT发出任意请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44369
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44369
请登录查看更多情报信息。
- https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44369
IV. Related Vulnerabilities
Same product: cvat
- CVE-2026-23526
CVAT vulnerable to privilege escalation of users with staff - CVE-2026-23516
CVAT vulnerable to XSS via skeleton SVG images - CVE-2025-68430
CVAT vulnerable to directory traversal via mounted share lis - CVE-2025-64485
CVAT: Mounted share file overwrite via crafted request - CVE-2025-54573
CVAT vulnerable to email verification bypass by use of basic
Same vendor: cvat-ai
- CVE-2026-23526
CVAT vulnerable to privilege escalation of users with staff - CVE-2026-23516
CVAT vulnerable to XSS via skeleton SVG images - CVE-2025-68430
CVAT vulnerable to directory traversal via mounted share lis - CVE-2025-64485
CVAT: Mounted share file overwrite via crafted request - CVE-2025-54573
CVAT vulnerable to email verification bypass by use of basic
Same weakness: CWE-80
- CVE-2026-45346
Open WebUI: Stored Cross-Site Scripting in SVG Renderer - CVE-2025-15345
MapGeo - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Si - CVE-2026-44259
efw4.X: Stored XSS via previewServlet - CVE-2026-41611
Visual Studio Code Remote Code Execution Vulnerability - CVE-2021-47948
WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text
V. Comments for CVE-2026-44369
No comments yet