179 matches found
EUVD-2026-1921
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...
CVE-2026-22033 Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...
CVE-2026-22033 Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...
CVE-2026-22033
Label Studio (1.22.0 and earlier) is affected by a persistent stored XSS in the custom_hotkeys field. An authenticated attacker (or one who can trick a user into updating custom_hotkeys) can inject JavaScript that runs in other users’ browsers when loading pages using templates/base.html. The app...
GHSA-2MQ9-HM29-8QCH Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field
Prologue These vulnerabilities have been found and chained by DCODX-AI. Validation of the exploit chain has been confirmed manually. Summary A persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one wh...
rm-gallery (>=0.1.0 <=0.1.2) potentially affected by CVE-2026-22033 via label-studio (=1.17.0)
label-studio PYPI version =1.17.0 is affected by a known vulnerability. The following packages have a transitive dependency on label-studio and may be impacted: - rm-gallery =0.1.0, =0.1.2 Source cves: CVE-2026-22033 Source advisory: OSV:GHSA-2MQ9-HM29-8QCH...
rm-gallery (>=0.1.0 <=0.1.2) potentially affected by CVE-2026-22033 via label-studio (=1.17.0)
label-studio PYPI version =1.17.0 is affected by a known vulnerability. The following packages have a transitive dependency on label-studio and may be impacted: - rm-gallery =0.1.0, =0.1.2 Source cves: CVE-2026-22033 Source advisory: SNYK:PYTHON-LABELSTUDIO-14914483...
Cross-site Scripting (XSS)
Overview label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Cross-site Scripting XSS via the customhotkeys process. An attacker can execute arbitrary JavaScript in the context of another user's browser and gain unauthorized access to sensitive API...
Label Studio 访问控制错误漏洞
Label Studio is an open source data labeling tool from Heartex Open Source. Allows you to use a simple and clear UI mark audio, text, images, video and time series and other data types , and exported to a variety of model formats. An access control error vulnerability exists in Label Studio 1.22....
PT-2026-2287
Name of the Vulnerable Software and Affected Versions Label Studio versions prior to 1.22.0 Description Label Studio is a multi-type data labeling and annotation tool. A persistent stored cross-site scripting XSS issue exists in the custom hotkeys functionality. An authenticated attacker, or...
Missing Authorization
Overview label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration Affected versions of this package are vulnerable to Missing Authorization due to missing validation in the SSO token API. The API does not restrict account creation to pre-registered...
Cross-site Request Forgery (CSRF)
Overview label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to an improper exemption in the JWTSSOSessionAuthentication mechanism that disables CSRF token...
EUVD-2024-0544
Malicious code in bioql PyPI...
EUVD-2024-0084
Malicious code in bioql PyPI...
EUVD-2024-0083
Malicious code in bioql PyPI...
EUVD-2023-0107
Malicious code in bioql PyPI...
EUVD-2025-4107
Malicious code in bioql PyPI...
EUVD-2025-4106
Malicious code in bioql PyPI...
EUVD-2025-16264
Malicious code in bioql PyPI...
EUVD-2025-4105
Malicious code in bioql PyPI...