AIKIDO-2026-10382
label-studio is vulnerable to Cross-site Scripting (XSS)
86
High Risk
This Affects:
label-studioTL;DR
A persistent cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker, or one able to trick a user or administrator into modifying their custom hotkeys, can inject malicious JavaScript that is stored and later executed in the browsers of other users when pages rendering the templates/base.html template are loaded. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks sufficient CSRF protections on certain API endpoints, the injected script may retrieve a victim’s API token or trigger token reset actions. This could lead to full account takeover and unauthorized API access. The vulnerability is considered critical due to its persistent nature, low exploitation requirements, and potential for complete account compromise.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
label-studio is vulnerable to Cross-site Scripting (XSS) in versions 1.21.0 - 1.22.0.
How to fix this
Upgrade the label-studio library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant