PyPI / label-studio

Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field

Modified: 2/19/2026

Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task

Modified: 11/22/2024

Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config

Modified: 6/10/2026

label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.

Modified: 6/6/2026

Nginx alias path traversal allows unauthenticated attackers to read all files on /label_studio/core/

Modified: 11/29/2024

Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

Modified: 11/22/2024

Cross-site Scripting Vulnerability on Data Import

Modified: 11/22/2024

Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint

Modified: 2/14/2025

Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections

Modified: 11/22/2024

Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module

Modified: 9/27/2024

Cross-site Scripting Vulnerability on Avatar Upload

Modified: 11/22/2024

Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint

Modified: 2/14/2025

Modified: 6/10/2026

Modified: 11/21/2024

Modified: 11/21/2024

Modified: 11/21/2024

Modified: 11/21/2024

Modified: 11/21/2024

Modified: 6/10/2026

Modified: 5/20/2026