Humansignal Label Studio vulnerabilities
10 known vulnerabilities affecting humansignal/label_studio.
Total CVEs
10
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2023-47117P3HIGHCVSS 7.5PoCfixed in 1.9.2v1.9.22023-11-13
CVE-2023-47117 [HIGH] CWE-200 CVE-2023-47117: Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to
Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapp
nvd
CVE-2025-47783P3MEDIUMCVSS 6.1PoCfixed in 1.18.02025-05-14
CVE-2025-47783 [MEDIUM] CWE-79 CVE-2025-47783: Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to
Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability is reproducible when sending a pro
nvd
CVE-2025-25296P3MEDIUMCVSS 6.1PoCfixed in 1.16.02025-02-14
CVE-2025-25296 [MEDIUM] CWE-79 CVE-2025-25296: Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/project
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaS
nvd
CVE-2023-43791P3HIGHCVSS 8.8fixed in 1.8.22023-11-09
CVE-2023-43791 [HIGH] CWE-200 CVE-2023-43791: Label Studio is a multi-type data labeling and annotation tool with standardized output format. Ther
Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator
nvd
CVE-2023-47115P3MEDIUMCVSS 5.4PoCfixed in 1.9.22024-01-23
CVE-2023-47115 [MEDIUM] CWE-79 CVE-2023-47115: Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-si
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing ma
nvd
CVE-2025-25297P3HIGHCVSS 7.7fixed in 1.16.02025-02-14
CVE-2025-25297 [HIGH] CWE-918 CVE-2025-25297: Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storag
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This
nvd
CVE-2024-26152P4MEDIUMCVSS 6.1fixed in 1.11.02024-02-22
CVE-2024-26152 [MEDIUM] CWE-79 CVE-2024-26152: ### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is n
### Summary
On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability.
### Details
Need permission to use the "data import" function
nvd
CVE-2024-23633P4MEDIUMCVSS 6.1fixed in 1.10.12024-01-24
CVE-2024-23633 [MEDIUM] CWE-79 CVE-2024-23633: Label Studio, an open source data labeling tool had a remote import feature allowed users to import
Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious JavaScript code in the context of the Label Studio website
nvd
CVE-2023-47116P4MEDIUMCVSS 5.3fixed in 1.11.02024-01-31
CVE-2023-47116 [MEDIUM] CWE-918 CVE-2023-47116: Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of
Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current
nvd
CVE-2026-22033P4MEDIUMCVSS 5.4≤ 1.22.02026-01-12
CVE-2026-22033 [MEDIUM] CWE-79 CVE-2026-22033: Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that execu
nvd