ByteOS Network

NVD Vulnerability Details :

CVE-2026-44369

Deferred

Source-security-advisories@github.com

Published At-13 May, 2026 | 22:16

Updated At-14 May, 2026 | 18:19

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.5	HIGH	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 8.5

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-80	Primary	security-advisories@github.com

CWE ID: CWE-80

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc	security-advisories@github.com	N/A
https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5	security-advisories@github.com	N/A

Hyperlink: https://github.com/cvat-ai/cvat/commit/ad9e90003d8234ac7602598b109dc11450321dfc

Source: security-advisories@github.com

Resource: N/A

Hyperlink: https://github.com/cvat-ai/cvat/security/advisories/GHSA-m2h7-6xqm-p9v5

Source: security-advisories@github.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History