{"url":"http://public2.vulnerablecode.io/api/packages/45148?format=json","purl":"pkg:pypi/label-studio@1.12.1","type":"pypi","namespace":"","name":"label-studio","version":"1.12.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.18.0","latest_non_vulnerable_version":"1.18.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37059?format=json","vulnerability_id":"VCID-n8np-tc3h-kkfd","summary":"Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. Version 1.18.0 contains a patch for the issue.","references":[{"reference_url":"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-8jhr-wpcm-hh4h","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-8jhr-wpcm-hh4h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45156?format=json","purl":"pkg:pypi/label-studio@1.18.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/label-studio@1.18.0"}],"aliases":["CVE-2025-47783","GHSA-8jhr-wpcm-hh4h","PYSEC-2025-124"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n8np-tc3h-kkfd"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/label-studio@1.12.1"}