{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2109", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-06T14:23:45.708Z", "datePublished": "2026-02-07T19:32:06.262Z", "dateUpdated": "2026-02-23T09:34:09.648Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:34:09.648Z"}, "title": "jsbroks COCO Annotator Delete Category undo improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "jsbroks", "product": "COCO Annotator", "versions": [{"version": "0.11.0", "status": "affected"}, {"version": "0.11.1", "status": "affected"}], "cpes": ["cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*"], "modules": ["Delete Category Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-06T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-08T00:50:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "nmmorette (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344685", "name": "VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344685", "name": "VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.745579", "name": "Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:08:22.493862Z", "id": "CVE-2026-2109", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:08:40.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2109", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:08:22.493862Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:08:31.635Z"}}], "cna": {"title": "jsbroks COCO Annotator Delete Category undo improper authorization", "credits": [{"lang": "en", "type": "reporter", "value": "nmmorette (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*"], "vendor": "jsbroks", "modules": ["Delete Category Handler"], "product": "COCO Annotator", "versions": [{"status": "affected", "version": "0.11.0"}, {"status": "affected", "version": "0.11.1"}]}], "timeline": [{"lang": "en", "time": "2026-02-06T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-06T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-08T00:50:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344685", "name": "VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344685", "name": "VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.745579", "name": "Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:34:09.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2109", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:34:09.648Z", "dateReserved": "2026-02-06T14:23:45.708Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-07T19:32:06.262Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*", "matchCriteriaId": "88E9E355-3EDA-4E73-970D-95AF4583E249", "versionEndIncluding": "0.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en jsbroks COCO Annotator hasta la versi\u00f3n 0.11.1. Afecta a una funci\u00f3n desconocida del archivo /api/undo/ del componente Delete Category Handler. Dicha manipulaci\u00f3n del argumento ID conduce a una autorizaci\u00f3n indebida. El ataque puede lanzarse de forma remota. El exploit est\u00e1 disponible p\u00fablicamente y podr\u00eda ser utilizado. El proveedor fue contactado con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-2109", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-07T20:15:55.500", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344685"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344685"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.745579"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:09:08.690532+00:00", "value": {"mitigation_remediation": ["Update jsbroks COCO Annotator to the latest released version that addresses the authorization flaw.", "Restrict the /api/undo/ endpoint so that only trusted users or network segments can access it during the remediation period.", "Monitor API logs for unexpected DELETE or UNDO calls and investigate any suspicious activity.", "If a patch is not yet available, consider disabling or temporarily blocking category deletion and undo functionality until a fix is deployed."], "summary": {"action": "Immediate patch", "impact": "Improper Authorization \u2013 unauthorized deletion of categories"}, "threat_synthesis": {"affected_systems": "The vulnerability affects jsbroks COCO Annotator versions up to and including 0.11.1.", "description_and_impact": "A remote attacker can manipulate the ID argument in the /api/undo/ Delete Category Handler, causing the system to allow deletion of categories without proper authentication. This flaw falls under CWE-266 (Retained Secret) and CWE-285 (Improper Authorization), leading to unauthorized changes that compromise the integrity and availability of annotation data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity. The EPSS score is below 1\u00a0%, reflecting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but a public exploit is available. Exploitation requires remote API access to the undo endpoint and manipulation of the ID parameter. While the chances of exploitation are currently low, the potential impact warrants timely remediation."}}}}, "created": "2026-02-09T10:44:13.093330+00:00", "updated": "2026-04-17T22:15:29.453064+00:00", "vendors": ["jsbroks", "jsbroks$PRODUCT$coco_annotator"]}