Path traversal in Computer Vision Annotation Tool (CVAT) - CVE-2026-47682
Published: May 21, 2026
Vulnerability identifier: #VU132051
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-47682
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Intel
Affected software:
Computer Vision Annotation Tool (CVAT)
Computer Vision Annotation Tool (CVAT)
Detailed vulnerability description
The vulnerability allows a remote user to overwrite arbitrary files on the server's filesystem.
The vulnerability exists due to path traversal in the cloud storage import handling when processing files from an added cloud storage. A remote user can place a crafted file path in cloud storage content to overwrite arbitrary files on the server's filesystem.
Exploitation requires write access to a cloud storage added to the instance, or the ability to add a new cloud storage.
How to mitigate CVE-2026-47682
Install security update from vendor's website.