CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23045 – CVAT allows remote code execution via tracker Nuclio functions
https://notcve.org/view.php?id=CVE-2025-23045
28 Jan 2025 — Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker from the CVAT Git repository, namely TransT and SiamMask. Deployments with custom functions of type tracker may also be affected, depending on how they handle state ... • https://github.com/cvat-ai/cvat/commit/563e1dfde64b15fa042b23f9d09cd854b35f0366 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47172 – Computer Vision Annotation Tool (CVAT) access control is broken in several PATCH endpoints
https://notcve.org/view.php?id=CVE-2024-47172
30 Sep 2024 — Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT instance. The information exposed in this way is the same as the information returned on a GET request to the resource. In addition, the attacker can also alter the default source and target storage associated with any project or task. Upgrade to CVAT 2.19.1 or any later v... • https://github.com/cvat-ai/cvat/security/advisories/GHSA-gxhm-hg65-5gh2 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47064 – Computer Vision Annotation Tool (CVAT) contains a reflected XSS via request endpoints
https://notcve.org/view.php?id=CVE-2024-47064
30 Sep 2024 — Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue. • https://github.com/cvat-ai/cvat/security/advisories/GHSA-hp6c-f34j-qjj7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-81: Improper Neutralization of Script in an Error Message Web Page •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47063 – Computer Vision Annotation Tool (CVAT) contains a stored XSS via the quality report data endpoint
https://notcve.org/view.php?id=CVE-2024-47063
30 Sep 2024 — Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If a malicious CVAT user with permissions to either create a task, or edit an existing task can trick another logged-in user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue. • https://github.com/cvat-ai/cvat/security/advisories/GHSA-2c85-39cc-2px9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45393 – Computer Vision Annotation Tool (CVAT) is missing authorization for endpoints related to webhook deliveries
https://notcve.org/view.php?id=CVE-2024-45393
10 Sep 2024 — Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an "update:task" event), and the user who performed the ac... • https://github.com/cvat-ai/cvat/commit/0fafb797fdf022fb83ce81c6405ba19b583a236f • CWE-862: Missing Authorization •