CVE-2026-23516 is an improper neutralization of script in attributes vulnerability (CWE-83) found in the CVAT (Computer Vision Annotation Tool) open source project, versions 2.2.0 through 2.54.0. CVAT is widely used for interactive video and image annotation in computer vision workflows. The vulnerability allows an attacker to inject arbitrary JavaScript code into the CVAT user interface by crafting malicious labels within tasks or projects or by uploading malicious SVG images when configuring skeletons. When a victim user views or edits these malicious labels or loads the crafted SVG, the injected script executes in their browser context, granting the attacker temporary access to all CVAT resources accessible by that user. This includes potentially sensitive annotation data and project information. The attack vector requires no prior authentication or privileges but does require user interaction (viewing/editing the malicious content). The CVSS 4.0 base score is 8.6 (high severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality and integrity. The vulnerability was publicly disclosed on January 21, 2026, and fixed in CVAT version 2.55.0. No known exploits have been reported in the wild at the time of disclosure.

For European organizations utilizing CVAT for computer vision annotation tasks, this vulnerability poses a significant risk of unauthorized access to sensitive annotation data, project metadata, and potentially other integrated systems if CVAT is linked to broader infrastructure. Successful exploitation could lead to data leakage, manipulation of annotation results, or session hijacking, undermining the integrity and confidentiality of AI training datasets and workflows. Given the collaborative nature of CVAT, attackers could leverage this vulnerability to pivot within an organization’s AI development environment, potentially impacting intellectual property and compliance with data protection regulations such as GDPR. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with multiple users and shared projects. The absence of known exploits in the wild reduces immediate threat but does not preclude targeted attacks, particularly against organizations with high-value AI assets.

European organizations should immediately upgrade CVAT installations to version 2.55.0 or later, where the vulnerability is patched. Until upgrades are applied, restrict user permissions to limit who can create or edit labels and upload SVG images, thereby reducing the attack surface. Implement strict input validation and sanitization on all user-generated content, especially labels and SVG files, to prevent script injection. Employ Content Security Policy (CSP) headers in the CVAT web application to restrict the execution of unauthorized scripts. Conduct user awareness training to recognize suspicious labels or unexpected UI behavior. Monitor CVAT logs and user activity for unusual interactions with labels or SVG uploads. Consider isolating CVAT environments from critical networks and sensitive data stores to contain potential breaches. Regularly review and audit CVAT configurations and access controls to ensure adherence to security best practices.