Home > Vulnerability Database > CVE-2026-23516

Mend.io Vulnerability Database

CVE-2026-23516

Good to know:

Date: January 21, 2026

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue.

Severity Score

8.1

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23516

Url: https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70

Url: https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp

Url: https://www.mend.io/vulnerability-database/CVE-2026-23516

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script in Attributes in a Web Page

CWE-83

Top Fix

Upgrade Version

Upgrade to version https://github.com/cvat-ai/cvat.git - v2.55.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23516

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?