Description
A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path‑traversal weakness exists in jsbroks COCO Annotator up to 0.11.1. The vulnerable code in backend/webserver/api/datasets.py allows an attacker to manipulate the folder argument and read files outside the intended data directory. This can expose configuration files, credentials, or code and thus compromise confidentiality. In the supplied description the exploit is available to the public and can be launched remotely, though no authentication prerequisites are listed.

Affected Systems

jsbroks COCO Annotator versions 0.11.1 and older are affected. The vulnerability resides in the Data Endpoint implementation behind the datasets API; no other products or earlier releases are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not reported. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw can be triggered remotely via a crafted HTTP request to the Data Endpoint and the exploit has already been made publicly available, the risk of exploitation is non‑negligible. An attacker could obtain arbitrary file contents, potentially leading to a broader compromise if sensitive files are accessed.

Generated by OpenCVE AI on May 3, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsbroks COCO Annotator to the latest release that fixes the path‑traversal flaw.
  • If a patch cannot be applied immediately, block external access to the /datasets API endpoint using the web server or firewall and grant use only to trusted administrators.
  • Implement strict validation of the folder parameter by normalizing paths, rejecting relative components, and verifying the resolved path remains within the permitted data directory.
  • Deploy a web‑application firewall or intrusion detection rule set that blocks typical path‑traversal request patterns.
  • Perform a security scan and audit server logs for any unauthorized file‑access attempts.

Generated by OpenCVE AI on May 3, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title jsbroks COCO Annotator Data Endpoint datasets.py path traversal
First Time appeared Jsbroks
Jsbroks coco Annotator
Weaknesses CWE-22
CPEs cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*
Vendors & Products Jsbroks
Jsbroks coco Annotator
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jsbroks Coco Annotator
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T04:30:11.891Z

Reserved: 2026-05-02T08:42:48.923Z

Link: CVE-2026-7680

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T06:15:57.983

Modified: 2026-05-03T06:15:57.983

Link: CVE-2026-7680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T07:00:10Z

Weaknesses