CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23045 – CVAT allows remote code execution via tracker Nuclio functions
https://notcve.org/view.php?id=CVE-2025-23045
28 Jan 2025 — Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker from the CVAT Git repository, namely TransT and SiamMask. Deployments with custom functions of type tracker may also be affected, depending on how they handle state ... • https://github.com/cvat-ai/cvat/commit/563e1dfde64b15fa042b23f9d09cd854b35f0366 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 8%CPEs: 1EXPL: 3CVE-2022-31188 – Server-Side Request Forgery Vulnerability in Computer Vision Annotation Tool (CVAT)
https://notcve.org/view.php?id=CVE-2022-31188
01 Aug 2022 — CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue. • https://www.exploit-db.com/exploits/51030 • CWE-918: Server-Side Request Forgery (SSRF) •