CVE-2026-23516 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2026-23516?

CVE-2026-23516 has a CVSS score of 5.4 (MEDIUM). This cross-site scripting (XSS) vulnerability in CVAT allows attackers to execute arbitrary JavaScript in victims' browser sessions by creating malicious labels or SVG images. Users of CVAT versions 2.2.0 through 2.54.0 are affected when they interact with attacker-controlled content. Successful exploitation gives attackers temporary access to all CVAT resources the victim can access.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in CVAT allows attackers to execute arbitrary JavaScript in victims' browser sessions by creating malicious labels or SVG images. Users of CVAT versions 2.2.0 through 2.54.0 are affected when they interact with attacker-controlled content. Successful exploitation gives attackers temporary access to all CVAT resources the victim can access.

💻 Affected Systems

Products:

CVAT (Computer Vision Annotation Tool)

Versions: 2.2.0 through 2.54.0

Operating Systems: All platforms running CVAT

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Computer Vision Annotation Tool by Cvat

View all CVEs affecting Computer Vision Annotation Tool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CVAT instance with attacker gaining administrative privileges, data exfiltration, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to sensitive annotation data, project manipulation, and privilege escalation within the CVAT environment.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing successful exploitation.

🌐 Internet-Facing: HIGH - Web application accessible over network with user-generated content vectors.

🏢 Internal Only: MEDIUM - Requires internal attacker or compromised account to create malicious content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated attacker to create malicious content and social engineering to lure victims.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.55.0

Vendor Advisory: https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp

Restart Required: Yes

Instructions:

1. Backup CVAT data and configuration. 2. Update CVAT to version 2.55.0 using your deployment method (Docker, Kubernetes, etc.). 3. Restart all CVAT services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for label names and SVG uploads

# Requires code modification - implement proper sanitization of user inputs

Content Security Policy

all

Implement strict CSP headers to limit script execution

# Add to web server configuration: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Restrict user permissions to prevent label creation by untrusted users
Implement web application firewall rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check CVAT version via web interface or API endpoint /api/v1/server/about

Check Version:

curl -s http://cvat-server/api/v1/server/about | grep version

Verify Fix Applied:

Confirm version is 2.55.0 or higher and test XSS payloads are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual label creation patterns
Multiple failed SVG upload attempts
JavaScript execution in unexpected contexts

Network Indicators:

Suspicious POST requests to label creation endpoints
Unusual SVG file uploads

SIEM Query:

source="cvat" AND (event="label_creation" OR event="svg_upload") AND payload CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2026-23516

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-83

EPSS Score: 0.03% exploit probability (8th percentile)

Published: January 21, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23516, you might also want to check these: