Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/label-studio@1.18.0
Typepypi
Namespace
Namelabel-studio
Version1.18.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-pbdp-mnbt-j3fx
vulnerability_id VCID-pbdp-mnbt-j3fx
summary Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22033
reference_id
reference_type
scores
0
value 6e-05
scoring_system epss
scoring_elements 0.00476
published_at 2026-06-14T12:55:00Z
1
value 6e-05
scoring_system epss
scoring_elements 0.00465
published_at 2026-06-12T12:55:00Z
2
value 6e-05
scoring_system epss
scoring_elements 0.00468
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22033
1
reference_url https://github.com/HumanSignal/label-studio
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/HumanSignal/label-studio
2
reference_url https://github.com/HumanSignal/label-studio/releases/tag/nightly
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/HumanSignal/label-studio/releases/tag/nightly
3
reference_url https://github.com/HumanSignal/label-studio/pull/9084
reference_id 9084
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T18:10:50Z/
url https://github.com/HumanSignal/label-studio/pull/9084
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22033
reference_id CVE-2026-22033
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22033
5
reference_url https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505
reference_id ea2462bf042bbf370b79445d02a205fbe547b505
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T18:10:50Z/
url https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505
6
reference_url https://github.com/advisories/GHSA-2mq9-hm29-8qch
reference_id GHSA-2mq9-hm29-8qch
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2mq9-hm29-8qch
7
reference_url https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch
reference_id GHSA-2mq9-hm29-8qch
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T18:10:50Z/
url https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch
fixed_packages
aliases CVE-2026-22033, GHSA-2mq9-hm29-8qch
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pbdp-mnbt-j3fx
Fixing_vulnerabilities
0
url VCID-us61-py8c-jbac
vulnerability_id VCID-us61-py8c-jbac
summary Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. Version 1.18.0 contains a patch for the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-47783
reference_id
reference_type
scores
0
value 0.00909
scoring_system epss
scoring_elements 0.7632
published_at 2026-06-12T12:55:00Z
1
value 0.00909
scoring_system epss
scoring_elements 0.76328
published_at 2026-06-14T12:55:00Z
2
value 0.00909
scoring_system epss
scoring_elements 0.76249
published_at 2026-06-11T12:55:00Z
3
value 0.00909
scoring_system epss
scoring_elements 0.76334
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-47783
1
reference_url https://github.com/HumanSignal/label-studio
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/HumanSignal/label-studio
2
reference_url https://github.com/HumanSignal/label-studio/commit/97db9e7b16783e1f6052eb432a6f014f80ef268d
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/HumanSignal/label-studio/commit/97db9e7b16783e1f6052eb432a6f014f80ef268d
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2025-124.yaml
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2025-124.yaml
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-47783
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-47783
5
reference_url https://github.com/advisories/GHSA-8jhr-wpcm-hh4h
reference_id GHSA-8jhr-wpcm-hh4h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8jhr-wpcm-hh4h
6
reference_url https://github.com/HumanSignal/label-studio/security/advisories/GHSA-8jhr-wpcm-hh4h
reference_id GHSA-8jhr-wpcm-hh4h
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-15T15:30:36Z/
url https://github.com/HumanSignal/label-studio/security/advisories/GHSA-8jhr-wpcm-hh4h
fixed_packages
0
url pkg:pypi/label-studio@1.18.0
purl pkg:pypi/label-studio@1.18.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-pbdp-mnbt-j3fx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/label-studio@1.18.0
aliases CVE-2025-47783, GHSA-8jhr-wpcm-hh4h, PYSEC-2025-124
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-us61-py8c-jbac
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/label-studio@1.18.0