15 matches found
CVE-2025-23045
CVE-2025-23045 affects Computer Vision Annotation Tool (CVAT). An attacker with an account on an affected CVAT instance can execute arbitrary code in the Nuclio function container via serverless tracker functions (TransT and SiamMask); deployments with custom tracker functions may also be affecte...
CVE-2021-45046
Technical details for CVE-2021-45046 are not publicly provided in the supplied documents. Monitor for updates from official advisories; sources here reference fixes for other Log4j CVEs but do not specify 45046 specifics.
CVE-2024-47064
CVE-2024-47064 affects Computer Vision Annotation Tool (CVAT). The vulnerability is a reflected XSS via request endpoints that allows an attacker to lure a logged-in user to a malicious URL and cause the user’s browser to perform arbitrary API calls on behalf of the user, potentially exposing dat...
CVE-2024-37164
CVE-2024-37164 affects CVAT up to version 2.14.3. An account-attached SSRF vulnerability allows specifying cloud-storage endpoints with intranet/internals names to probe CVAT’s network and, if a compatible web server exists on that network, possibly create a linked cloud storage and later list, e...
CVE-2022-31188
CVAT (CVE-2022-31188) contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 2.0.0, tied to URL handling without proper validation. Version 2.0.0 introduced input validation in the affected code path, and users are advised to upgrade to 2.0.0 or later. There are no docum...
CVE-2024-47063
CVAT (Computer Vision Annotation Tool) contains a stored XSS vulnerability via the quality report data endpoint. A malicious user with task-creation/edit permissions can lure another logged-in user to a crafted URL, potentially executing scripts in the victim’s browser. Affected versions are prio...
CVE-2024-37306
CVAT (Computer Vision Annotation Tool) information disclosure via CSRF affects versions 2.2.0–2.14.3. The vulnerability enables an attacker who can lure a logged‑in CVAT user to a malicious URL to trigger a dataset export or backup from a project/task/job the user can export, directing output to ...
CVE-2025-48381
CVAT (Computer Vision Annotation Tool) has a disclosed information-disclosure vulnerability affecting versions 2.4.0 through 2.37.x, where an authenticated user could retrieve IDs and names of tasks, projects, and labels, plus IDs of jobs and quality reports, potentially enabling information expo...
CVE-2024-45393
Summary: CVAT prior to 2.18.0 is affected by a vulnerability where an account holder can access webhook delivery information for any webhook (including others’) and can redeliver past deliveries or trigger a ping event. The underlying issue is missing authorization for webhook delivery endpoints....
CVE-2024-47172
CVAT vulnerability (CVE-2024-47172) : Multiple connected sources confirm that CVAT (Computer Vision Annotation Tool) versions prior to 2.19.1 are affected. An attacker with a CVAT account can retrieve information about any project, task, job, or membership resource on the instance, mirroring data...
CVE-2025-54573
CVAT (open-source tool for video/image annotation) is affected in versions 1.1.0 through 2.41.0 due to email verification not being enforced when using Basic HTTP Authentication. This allows account creation with fake emails and potential bot signups, treating users as verified. The issue is addr...
CVE-2025-49135
CVAT (open source CV annotation tool) versions 2.2.0–2.39.0 have a missing validation during the import of project/task backups, where the filename in the query parameter is not verified to refer to a TUS-uploaded file owned by the same user. An account with a user role who knows other users’ fil...
CVE-2026-23526
CVAT (open-source annotation tool) versions 1.0.0–2.54.0 contain a privilege-escalation issue where users with staff status can freely change their permissions, including granting themselves superuser status and joining the admin group, thereby obtaining full access to data in the instance. The i...
CVE-2026-23516
CVAT (open-source annotation tool) is affected in versions 2.2.0–2.54.0 by an XSS-like vulnerability that lets an attacker execute arbitrary JavaScript in a victim user’s CVAT UI session. The attack requires the attacker to create a malicious label or an SVG in a skeleton configuration and coerce...
CVE-2025-68430
CVE-2025-68430 affects CVAT, an open source video/image annotation tool. Versions 2.8.1 through 2.52.0 permit an account-bearing attacker on a CVAT instance to retrieve the names of files and subdirectories in any file system directory accessible to the CVAT server; contents of files are not expo...