Cvat Computer Vision Annotation Tool vulnerabilities
14 known vulnerabilities affecting cvat/computer_vision_annotation_tool.
Total CVEs
14
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM9
Vulnerabilities
Page 1 of 1
CVE-2022-31188P2CRITICALCVSS 9.8PoCfixed in 2.0.02022-08-01
CVE-2022-31188 [CRITICAL] CWE-918 CVE-2022-31188: CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prio
CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue
nvd
CVE-2025-23045P2CRITICALCVSS 9.8≥ 1.1.0, < 2.26.02025-01-28
CVE-2025-23045 [CRITICAL] CWE-502 CVE-2025-23045: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker fr
nvd
CVE-2026-23526P3HIGHCVSS 8.8≥ 1.0.0, < 2.55.02026-01-21
CVE-2026-23526 [HIGH] CWE-267 CVE-2026-23526: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the
nvd
CVE-2024-37164P3HIGHCVSS 8.5≥ 2.1.0, < 2.14.32024-06-13
CVE-2024-37164 [HIGH] CWE-918 CVE-2024-37164: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs w
nvd
CVE-2025-49135P3MEDIUMCVSS 6.5≥ 2.2.0, < 2.40.02025-06-25
CVE-2025-49135 [MEDIUM] CWE-639 CVE-2025-49135: CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2
CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT ac
nvd
CVE-2025-54573P3MEDIUMCVSS 6.5≥ 1.1.0, < 2.42.02025-07-30
CVE-2025-54573 [MEDIUM] CWE-287 CVE-2025-54573: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification chec
nvd
CVE-2024-37306P3HIGHCVSS 7.1≥ 2.2.0, < 2.14.32024-06-13
CVE-2024-37306 [HIGH] CWE-352 CVE-2024-37306: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission
nvd
CVE-2024-45393P3MEDIUMCVSS 6.4≥ 2.3.0, < 2.18.02024-09-10
CVE-2024-45393 [MEDIUM] CWE-862 CVE-2024-45393: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, ty
nvd
CVE-2024-47064P4MEDIUMCVSS 6.1≥ 2.16.0, < 2.19.02024-09-30
CVE-2024-47064 [MEDIUM] CWE-79 CVE-2024-47064: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrad
nvd
CVE-2024-47063P4MEDIUMCVSS 6.1≥ 2.4.7, < 2.19.02024-09-30
CVE-2024-47063 [MEDIUM] CWE-79 CVE-2024-47063: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If a malicious CVAT user with permissions to either create a task, or edit an existing task can trick another logged-in user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the at
nvd
CVE-2026-23516P4MEDIUMCVSS 5.4≥ 2.2.0, < 2.55.02026-01-21
CVE-2026-23516 [MEDIUM] CWE-83 CVE-2026-23516: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label
nvd
CVE-2024-47172P4MEDIUMCVSS 5.4fixed in 2.19.12024-09-30
CVE-2024-47172 [MEDIUM] CWE-863 CVE-2024-47172: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT instance. The information exposed in this way is the same as the information returned on a GET request to the re
nvd
CVE-2025-68430P4MEDIUMCVSS 4.3≥ 2.8.1, < 2.53.02025-12-19
CVE-2025-68430 [MEDIUM] CWE-24 CVE-2025-68430: CVAT is an open source interactive video and image annotation tool for computer vision. In versions
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of fil
nvd
CVE-2025-48381P4MEDIUMCVSS 4.3≥ 2.4.0, < 2.38.02025-05-30
CVE-2025-48381 [MEDIUM] CWE-201 CVE-2025-48381: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for compute
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In versions starting from 2.4.0 to before 2.38.0, an authenticated CVAT user may be able to retrieve the IDs and names of all tasks, projects, labels, and the IDs of all jobs and quality reports on the CVAT instance. In addition, if the inst
nvd