label-studio

PyPI7 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting label-studiopage 1 of 1

CVE-2022-36551MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.5.0.post0
2022-10-03
vulnerable: 0.4.0rc1 ... 1.5.0rc9 (155 versions)
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is e…
CVE-2023-43791CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.8.2
2023-11-09
vulnerable: 0.4.1 ... 1.8.1 (68 versions)
Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could ex…
CVE-2023-47115HIGHCVSS 7.1EG 7.1✓ Fixed in 1.9.2
2024-01-23
vulnerable: 0.4.1 ... 1.9.1.post0 (74 versions)
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets…
CVE-2023-47116MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.11.0
2024-01-31
vulnerable: 0.4.1 ... 1.9.2.post0 (79 versions)
Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROT…
CVE-2023-47117HIGHCVSS 7.5EG 7.5✓ Fixed in 1.9.2
2023-11-13
vulnerable: 0.4.1 ... 1.9.1.post0 (74 versions)
Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter …
CVE-2024-23633MEDIUMCVSS 4.7EG 4.7✓ Fixed in 1.10.1
2024-01-24
vulnerable: 0.4.1 ... 1.9.2.post0 (78 versions)
Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been…
CVE-2024-26152MEDIUMCVSS 4.7EG 4.7✓ Fixed in 1.11.0
2024-02-22
vulnerable: 0.4.1 ... 1.9.2.post0 (79 versions)
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/ta…

Check whether label-studio is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for label-studio CVEs against the assets you own.

Start Free Scan →