A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
The CVSS score for this vulnerability is 2.1, categorized as low severity. This score indicates a low level of risk to organizations, but it is crucial to address it to prevent potential exploitation.
Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability, particularly as it allows for remote attacks.
Understanding the details of the vulnerability can help in assessing the risks and implementing necessary security measures.
Vulnerability Details
The vulnerability identified as CVE-2026-7680 affects jsbroks COCO Annotator up to version 0.11.1. The primary issue lies within the backend/webserver/api/datasets.py file, specifically in handling the folder argument, which can lead to path traversal. This vulnerability is classified under CWE-22.
Published on May 3, 2026, this vulnerability's CVSS score is 2.1, indicating low severity. It is important to note that the confidentiality impact is low, with no integrity or availability impact.
Technical Analysis
The root cause of this vulnerability stems from improper validation of input parameters in the affected function. Attackers may leverage this weakness to execute unauthorized file access, potentially leading to exposure of sensitive data.
The attack vector is through the network, and the complexity is low, requiring minimal privileges. No user interaction is necessary for exploitation, making it a significant risk.
The confidentiality impact is low, while there are no impacts on integrity or availability, indicating a focus on unauthorized data access.
Risk & Impact Analysis
Risk to organizations includes potential unauthorized data access due to path traversal vulnerabilities. While the severity is low, the possibility of exploitation remains a concern, especially in environments where sensitive data may be exposed.
Organizations should address in priority patch cycle as this vulnerability, though low in severity, can have implications if exploited.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of jsbroks COCO Annotator prior to 0.11.1 are affected by this vulnerability.
Mitigation & Remediation
Organizations should prioritize upgrading to the latest version of jsbroks COCO Annotator to mitigate this vulnerability. In cases where an immediate upgrade is not possible, implementing input validation and monitoring web server access logs may help reduce risk.
For further guidance on security best practices, organizations may refer to the penetration testing methodology and ensure proper hardening of their systems.
Detection Guidance
Monitoring for unusual access patterns and validating user inputs can help detect potential exploitation attempts. Organizations should establish logging mechanisms to capture access to the affected API endpoints.
AppSecure Threat Intelligence Insight
The existence of this vulnerability highlights the need for continuous vigilance in application security. It serves as a reminder of the potential risks associated with path traversal vulnerabilities, which can be exploited if left unaddressed.
Organizations can benefit from implementing a robust vulnerability management program to proactively address such weaknesses in their systems.
Furthermore, regular penetration testing can help identify and mitigate emerging threats before they can be exploited.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)