Cvat-Ai Cvat vulnerabilities
17 known vulnerabilities affecting cvat-ai/cvat.
Total CVEs
17
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM11
Vulnerabilities
Page 1 of 1
CVE-2022-31188P2CRITICALCVSS 9.8PoCfixed in 2.0.02022-08-01
CVE-2022-31188 [CRITICAL] CWE-918 CVE-2022-31188: CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prio
CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue
nvd
CVE-2025-23045P2CRITICALCVSS 9.8v>= 1.1.0, < 2.26.02025-01-28
CVE-2025-23045 [CRITICAL] CWE-502 CVE-2025-23045: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker fr
nvd
CVE-2026-23526P3HIGHCVSS 8.8v>= 1.0.0, < 2.55.02026-01-21
CVE-2026-23526 [HIGH] CWE-267 CVE-2026-23526: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the
nvd
CVE-2024-37164P3HIGHCVSS 8.5v>= 2.1.0, < 2.14.32024-06-13
CVE-2024-37164 [HIGH] CWE-918 CVE-2024-37164: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs w
nvd
CVE-2026-44369P3HIGHCVSS 8.5v>= 2.5.0, < 2.64.02026-05-13
CVE-2026-44369 [HIGH] CWE-80 CVE-2026-44369: CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 t
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to
nvd
CVE-2025-49135P3MEDIUMCVSS 6.5v>= 2.2.0, < 2.40.02025-06-25
CVE-2025-49135 [MEDIUM] CWE-639 CVE-2025-49135: CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2
CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT ac
nvd
CVE-2025-54573P3MEDIUMCVSS 6.5v>= 1.1.0, < 2.42.02025-07-30
CVE-2025-54573 [MEDIUM] CWE-287 CVE-2025-54573: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification chec
nvd
CVE-2024-37306P3HIGHCVSS 7.1v>= 2.2.0, < 2.14.32024-06-13
CVE-2024-37306 [HIGH] CWE-352 CVE-2024-37306: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission
nvd
CVE-2024-45393P3MEDIUMCVSS 6.4v>= 2.3.0, < 2.18.02024-09-10
CVE-2024-45393 [MEDIUM] CWE-862 CVE-2024-45393: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, ty
nvd
CVE-2025-64485P4MEDIUMCVSS 5.3≤ 2.4.0, < 2.49.02025-11-08
CVE-2025-64485 [MEDIUM] CWE-22 CVE-2025-64485: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.4.0 through 2.48.1, a malicious CVAT user with at least the User global role may create files in the root of the mounted file share, or overwrite existing files. If no file share is mounted, the user will be able to create files in the share directory
nvd
CVE-2024-47064P4MEDIUMCVSS 6.1v>= 2.16.0, < 2.19.02024-09-30
CVE-2024-47064 [MEDIUM] CWE-79 CVE-2024-47064: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrad
nvd
CVE-2024-47063P4MEDIUMCVSS 6.1v>= 2.4.7, < 2.19.02024-09-30
CVE-2024-47063 [MEDIUM] CWE-79 CVE-2024-47063: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If a malicious CVAT user with permissions to either create a task, or edit an existing task can trick another logged-in user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the at
nvd
CVE-2026-23516P4MEDIUMCVSS 5.4v>= 2.2.0, < 2.55.02026-01-21
CVE-2026-23516 [MEDIUM] CWE-83 CVE-2026-23516: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label
nvd
CVE-2024-47172P4MEDIUMCVSS 5.4v>= 2.0.0, < 2.19.12024-09-30
CVE-2024-47172 [MEDIUM] CWE-863 CVE-2024-47172: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT instance. The information exposed in this way is the same as the information returned on a GET request to the re
nvd
CVE-2026-58373P4MEDIUMCVSS 4.3fixed in 2.69.02026-06-30
CVE-2026-58373 [MEDIUM] CWE-862 CVE-2026-58373: CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_quer
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can
nvd
CVE-2025-68430P4MEDIUMCVSS 4.3v>= 2.8.1, < 2.53.02025-12-19
CVE-2025-68430 [MEDIUM] CWE-24 CVE-2025-68430: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of fil
nvd
CVE-2025-48381P4MEDIUMCVSS 4.3v>= 2.4.0, < 2.38.02025-05-30
CVE-2025-48381 [MEDIUM] CWE-201 CVE-2025-48381: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In versions starting from 2.4.0 to before 2.38.0, an authenticated CVAT user may be able to retrieve the IDs and names of all tasks, projects, labels, and the IDs of all jobs and quality reports on the CVAT instance. In addition, if the inst
nvd