6 matches found
Label Studio < 1.16.0 - Cross-Site Scripting
Label Studio prior to version 1.16.0 contains a cross-site scripting caused by rendering unsanitized user-provided HTML in the /projects/upload-example endpoint, letting attackers execute arbitrary JavaScript via crafted labelconfig in a GET request, exploit requires victims to visit malicious UR...
Cross-site Scripting (XSS)
Overview label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Cross-site Scripting XSS via the labelconfig parameter in labelstudio/projects/views.py. An attacker can execute arbitrary scripts in the context of the user's browser by sending malicious...
PYSEC-2025-124
Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attack...
Label Studio 跨站脚本漏洞
Label Studio is an open source data labeling tool from Heartex Open Source. It allows you to label data types such as audio, text, images, video, and time series using a straightforward UI and export to a variety of model formats. A cross-site scripting vulnerability exists in Label Studio versio...
Cross-site Scripting (XSS)
Overview label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Cross-site Scripting XSS through the /projects/upload-example endpoint due to improper sanitization of the input passed to the labelconfig query parameter. PoC Create a malicious label conf...
GHSA-WPQ5-3366-MQW4 Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint
Description Label Studio's /projects/upload-example endpoint allows injection of arbitrary HTML through a GET request with an appropriately crafted labelconfig query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaScript, an attack...