CVE-2026-23516 is a cross-site scripting (XSS) vulnerability affecting the open-source computer vision annotation tool CVAT, specifically versions 2.2.0 through 2.54.0. The flaw arises from improper sanitization of user-supplied input in labels and SVG images used within the CVAT UI. An attacker can craft malicious labels embedded with JavaScript or upload specially crafted SVG images when configuring skeletons. When a victim user views or edits these malicious labels or loads the SVG, the embedded script executes within their browser session. This execution context allows the attacker to hijack the victim's session and gain temporary access to all CVAT resources the victim can access, potentially exposing sensitive annotation data or project information. The vulnerability does not require any privileges or authentication on the attacker's part but does require user interaction (viewing or editing the malicious content). The issue is classified under CWE-83, indicating improper neutralization of script in attributes. The vulnerability was publicly disclosed on January 21, 2026, with a CVSS 4.0 base score of 8.6 (high severity), reflecting its ease of exploitation over the network and significant impact on confidentiality and integrity. The issue was resolved in CVAT version 2.55.0 by properly sanitizing inputs and preventing script injection in labels and SVG uploads. No known exploits have been reported in the wild to date.

The impact of CVE-2026-23516 is significant for organizations using vulnerable versions of CVAT for computer vision annotation tasks. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim user's session, potentially leading to session hijacking, data theft, unauthorized access to sensitive annotation projects, and manipulation or deletion of annotation data. This can compromise the integrity and confidentiality of valuable machine learning training data and related intellectual property. Since CVAT is often used in research, autonomous vehicle development, and AI model training, the exposure of such data could have downstream effects on AI model accuracy and organizational competitive advantage. The vulnerability requires user interaction but no authentication or privileges, increasing the risk in environments where multiple users share access or where attackers can trick users into interacting with malicious content. The temporary access gained can be leveraged for lateral movement within the organization’s infrastructure if CVAT is integrated with other systems. Although no exploits are known in the wild, the high CVSS score and ease of exploitation make timely patching critical to prevent potential attacks.

Organizations should upgrade all CVAT instances to version 2.55.0 or later, where the vulnerability is fixed. Until upgrading is possible, administrators should restrict user permissions to limit who can create or edit labels and upload SVG images, minimizing the risk of malicious content injection. Implement strict input validation and sanitization on all user-supplied data, especially labels and SVG uploads, to prevent script injection. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. Educate users about the risks of interacting with untrusted labels or images within CVAT. Monitor CVAT logs and user activity for unusual behavior indicative of exploitation attempts. If CVAT is exposed to the internet, consider placing it behind a web application firewall (WAF) configured to detect and block XSS payloads. Regularly audit and review annotation projects and labels for suspicious content. Finally, integrate CVAT usage within a broader security monitoring and incident response framework to quickly detect and respond to potential compromises.