216.73.217.98

CVE-2026-22033

· Published 12/01/2026 18:15 · Modified 13/01/2026 14:03

Labels: CVE-2026-22033 2026-01-12CVE-2026-22033CWE-79[email protected]

Essential information

Published
12/01/2026 18:15
Modified
13/01/2026 14:03
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
label studio / label studio cpe:2.3:a:label_studio:label_studio:<1.22.0:*:*:*:*:*:*:*

References