CVE-2026-2108 - Vulnerability Details

- jsbroks COCO Annotator Endpoint long_task denial of service

Description

A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-07

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the /api/info/long_task endpoint of jsbroks COCO Annotator and allows a requester that may not need to be authenticated (this is inferred, as the CVE description does not explicitly state authentication) to trigger a persistent long task that consumes system resources and results in the application becoming unresponsive. It does not grant code execution or data disclosure but can incapacitate the service for legitimate users. The flaw is defined as CWE‑404, indicating an omission of adequate safeguard against function misuse.

Affected Systems

Products affected include jsbroks COCO Annotator versions up to and including 0.11.1. Any deployment that exposes the /api/info/long_task endpoint without additional protection is susceptible.

Risk and Exploitability

The CVSS score of 6.9 categorizes the issue as medium severity, and the EPSS score is below 1%, reflecting a very low probability of exploitation at the time of analysis. The vulnerability may be exploited remotely; authentication requirement is not specified (inferred that no authentication is required). It is not listed in the CISA KEV catalog, indicating no known widespread attacks yet. The lack of a vendor response makes remediation urgency high for affected installations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jsbroks

COCO Annotator

affected

Version	Status	Constraints
`0.11.0`	affected	—
`0.11.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Jsbroks	Coco Annotator	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade COCO Annotator to the latest release that contains the fix.
If a patch is unavailable, restrict access to the /api/info/long_task endpoint using a firewall or reverse‑proxy authentication.
Implement request rate limiting and monitoring to detect and block excessive task submissions.

Generated by OpenCVE AI on April 18, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md
https://vuldb.com/?ctiid.344684
https://vuldb.com/?id.344684
https://vuldb.com/?submit.745547

History

Mon, 23 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:jsbroks:coco_annotator::::::::

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jsbroks Jsbroks coco Annotator
Vendors & Products		Jsbroks Jsbroks coco Annotator

Sat, 07 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title		jsbroks COCO Annotator Endpoint long_task denial of service
Weaknesses		CWE-404
References		https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md https://vuldb.com/?ctiid.344684 https://vuldb.com/?id.344684 https://vuldb.com/?submit.745547
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:W/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:W/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:W/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jsbroks Coco Annotator

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-07T19:02:06.919Z

Updated: 2026-02-23T09:33:58.212Z

Reserved: 2026-02-06T14:23:41.354Z

Link: CVE-2026-2108

Vulnrichment

Updated: 2026-02-10T16:05:58.107Z

NVD

Status : Analyzed

Published: 2026-02-07T19:15:46.613

Modified: 2026-02-27T13:45:11.587

Link: CVE-2026-2108

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses

CWE-404

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object