178 matches found
Label Studio - Cross-Site Scripting
Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. id: CVE-2023-47115 info: name: Label Studio - Cross-Site Scripting author: isaca...
Label Studio < 1.16.0 - Cross-Site Scripting
Label Studio prior to version 1.16.0 contains a cross-site scripting caused by rendering unsanitized user-provided HTML in the /projects/upload-example endpoint, letting attackers execute arbitrary JavaScript via crafted labelconfig in a GET request, exploit requires victims to visit malicious UR...
Label Studio - Sensitive Information Exposure
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper ORM. Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by...
Label Studio < 1.18.0 - Reflected XSS
Label Studio 1.18.0 contains a stored XSS caused by improper sanitization in POST /projects/upload-example/ endpoint, letting attackers inject malicious scripts to hijack sessions and perform unauthorized actions, exploit requires sending crafted requests. id: CVE-2025-47783 info: name: Label...
GHSA-C38F-WX89-P2XG vulnerabilities
Vulnerabilities for packages: label-studio...
CVE-2026-44660 vulnerabilities
Vulnerabilities for packages: label-studio...
CVE-2026-32274 vulnerabilities
Vulnerabilities for packages: open-webui, label-studio, nemo, kserve...
GHSA-752W-5FWX-JX9F vulnerabilities
Vulnerabilities for packages: datadog-agent, datadog-agent-fips, authentik, authentik-fips, superset, litellm, keep-fips, vllm-openai-cuda-12.9, pgadmin4-fips, awx, az, metaflow-service-fips, airflow, py3-cassandra-medusa, kserve, dbt-snowflake, airflow-core, open-webui, opal, request-1276,...
GHSA-3936-CMFR-PM3M vulnerabilities
Vulnerabilities for packages: open-webui, label-studio, nemo, kserve...
CVE-2026-32597 vulnerabilities
Vulnerabilities for packages: datadog-agent, datadog-agent-fips, authentik, authentik-fips, superset, litellm, keep-fips, vllm-openai-cuda-12.9, pgadmin4-fips, awx, az, metaflow-service-fips, airflow, py3-cassandra-medusa, kserve, dbt-snowflake, airflow-core, open-webui, opal, request-1276,...
CVE-2026-28350 vulnerabilities
Vulnerabilities for packages: label-studio...
GHSA-XVP8-3MHV-424C vulnerabilities
Vulnerabilities for packages: label-studio...
CVE-2026-28348 vulnerabilities
Vulnerabilities for packages: label-studio...
GHSA-HW26-MMPG-FQFG vulnerabilities
Vulnerabilities for packages: label-studio...
GHSA-2MQ9-HM29-8QCH vulnerabilities
Vulnerabilities for packages: label-studio...
CVE-2026-22033 vulnerabilities
Vulnerabilities for packages: label-studio...
Stored Cross-Site Scripting (XSS)
labelstudio is vulnerable to stored cross-site scripting XSS.The vulnerability is due to insufficient sanitization of user-controlled input in the customhotkeys functionality, which allows an authenticated attacker or one who tricks a user/admin to inject malicious JavaScript that executes in oth...
CVE-2026-22033
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...
CVE-2026-22033
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...
CVE-2026-22033
Label Studio (1.22.0 and earlier) is affected by a persistent stored XSS in the custom_hotkeys field. An authenticated attacker (or one who can trick a user into updating custom_hotkeys) can inject JavaScript that runs in other users’ browsers when loading pages using templates/base.html. The app...