pkg:PyPI/label-studio

All known vulnerabilities

• CRITICAL9.8CVE-2023-43791Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
  from 0, < 3d06c5131c15600621e08b06f07d976887cde81b | from 0, < 1.8.2
• CRITICAL9.8CVE-2023-43791Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
  from 0, < 1.8.2
• HIGH8.6CVE-2025-25297Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint
  from 0, < 1.16.0
• HIGH7.5Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
  from 0, < f931d9d129002f54a495995774ce7384174cef5c | from 0, < 1.9.2
• HIGH7.5Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
  from 0, < 1.9.2.post0
• HIGH7.1Cross-site Scripting Vulnerability on Avatar Upload
  from 0, < 1.9.2
• HIGH7.1Cross-site Scripting Vulnerability on Avatar Upload
  from 0, < a7a71e594f32ec4af8f3f800d5ccb8662e275da3 | from 0, < 1.9.2
• MEDIUM6.5Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
  from 0, < 1.5.0.post0
• MEDIUM6.5Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
  from 0, < 1.6.0
• MEDIUM6.1label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.
  from 0, < 1.18.0
• MEDIUM6.1label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.
  from 0, < 1.18.0
• MEDIUM6.1Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint
  from 0, < 1.16.0
• MEDIUM5.3Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections
  from 0, < 1.11.0
• MEDIUM5.3Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections
  from 0, < 55dd6af4716b92f2bb213fe461d1ffbc380c6a64 | from 0, < 1.11.0
• MEDIUM4.7Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config
  from 0, < 1.11.0
• MEDIUM4.7Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config
  from 0, < 5df9ae3828b98652e9fa290a19f4deedf51ef6c8, < 5df9ae3828b98652e9fa290a19f4deedf51ef6c8 | from 0, < 1.11.0
• MEDIUM4.7Cross-site Scripting Vulnerability on Data Import
  from 0, < 1.10.1
• MEDIUM4.7Cross-site Scripting Vulnerability on Data Import
  from 0, < 1.10.1
• —Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field
  from 0, <= 1.22.0