📦 Computer Vision Annotation Tool

This vulnerability allows authenticated attackers to execute arbitrary code within CVAT's Nuclio function containers by exploiting unsafe serialization in tracker functions. It affects CVAT deployment...

CVE-2021-45046 is an incomplete fix for the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j 2.15.0 that allows attackers to execute arbitrary code via JNDI lookups in certain non-default logg...

CVAT users with staff status can escalate their own privileges to superuser/admin level, gaining full access to all data in the CVAT instance. This affects all CVAT deployments running versions 1.0.0 ...

This is a Cross-Site Request Forgery (CSRF) vulnerability in CVAT that allows attackers to trick authenticated users into performing unauthorized dataset exports or backups to cloud storage. Attackers...

This cross-site scripting (XSS) vulnerability in CVAT allows attackers to execute arbitrary JavaScript in victims' browser sessions by creating malicious labels or SVG images. Users of CVAT versions 2...

CVAT versions 1.1.0 through 2.41.0 do not enforce email verification when using Basic HTTP Authentication, allowing attackers to create accounts with fake email addresses and use the system as verifie...

This vulnerability in CVAT allows authenticated users with 'user' role to access other users' uploaded files during project/task backup imports by exploiting filename validation flaws. It affects all ...

This vulnerability allows authenticated CVAT users to enumerate all task, project, label, job, and quality report IDs and names on the instance. It can also cause resource exhaustion if many resources...

This vulnerability in CVAT allows authenticated attackers to view webhook delivery information for any webhook on the instance, including those belonging to other users. Attackers can also redeliver p...