CVE-2026-44369 HIGH

CVE-2026-44369: CVAT: Stored XSS via annotation guides

Vendor Cvat-Ai
Product cvat
Weakness CWE-80 · XSS · basic
Published May 13, 2026
Last update May 15, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 15, 2026 Record updated