{"id":"PYSEC-2025-124","details":"Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. Version 1.18.0 contains a patch for the issue.","aliases":["CVE-2025-47783","GHSA-8jhr-wpcm-hh4h"],"modified":"2026-05-20T09:19:03.900919Z","published":"2025-05-14T23:15:48.213Z","references":[{"type":"EVIDENCE","url":"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-8jhr-wpcm-hh4h"}],"affected":[{"package":{"name":"label-studio","ecosystem":"PyPI","purl":"pkg:pypi/label-studio"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.18.0"}]}],"versions":["0.4.1","0.4.2","0.4.3","0.4.4","0.4.4.post1","0.4.4.post2","0.4.5","0.4.6","0.4.6.post1","0.4.6.post2","0.4.7","0.4.8","0.5.0","0.5.1","0.6.0","0.6.1","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.4.post0","0.7.4.post1","0.7.5.post1","0.7.5.post2","0.8.0","0.8.0.post0","0.8.1","0.8.1.post0","0.8.2","0.8.2.post0","0.9.0","0.9.0.post2","0.9.0.post3","0.9.0.post4","0.9.0.post5","0.9.1","0.9.1.post0","0.9.1.post1","0.9.1.post2","1.0.0","1.0.0.post0","1.0.0.post1","1.0.0.post2","1.0.0.post3","1.0.1","1.0.2","1.0.2.post0","1.1.0","1.1.0rc0","1.1.1","1.10.0","1.10.0.post0","1.10.1","1.11.0","1.12.0","1.12.0.post0","1.12.1","1.13.0","1.13.1","1.14.0","1.14.0.post0","1.15.0","1.16.0","1.17.0","1.2","1.3","1.3.post0","1.3.post1","1.4","1.4.1","1.4.1.post0","1.4.1.post1","1.5.0","1.5.0.post0","1.6.0","1.7.0","1.7.1","1.7.2","1.7.3","1.8.0","1.8.1","1.8.2","1.8.2.post0","1.8.2.post1","1.9.0","1.9.1","1.9.1.post0","1.9.2","1.9.2.post0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/label-studio/PYSEC-2025-124.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}