A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2CWE-285CWE-266
jsbroks COCO Annotator Delete Category undo improper authorization
Problem type
Affected products
jsbroks
COCO Annotator
0.11.0 - AFFECTED
0.11.1 - AFFECTED
References
VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization
https://vuldb.com/?id.344685
VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/?ctiid.344685
Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization
https://vuldb.com/?submit.745579
github.com
https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md
GitHub Security Advisories
GHSA-34mv-wr5q-834h
A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown...
https://github.com/advisories/GHSA-34mv-wr5q-834hA vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-2109
github.com
https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md
vuldb.com
https://vuldb.com/?ctiid.344685
vuldb.com
https://vuldb.com/?id.344685
vuldb.com
https://vuldb.com/?submit.745579
github.com
https://github.com/advisories/GHSA-34mv-wr5q-834h
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-2109Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-2109",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-02-07T19:32:06.262Z",
"dateReserved": "2026-02-06T14:23:45.708Z",
"datePublished": "2026-02-07T19:32:06.262Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-02-07T19:32:06.262Z"
},
"title": "jsbroks COCO Annotator Delete Category undo improper authorization",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "jsbroks",
"product": "COCO Annotator",
"modules": [
"Delete Category Handler"
],
"versions": [
{
"version": "0.11.0",
"status": "affected"
},
{
"version": "0.11.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Authorization",
"cweId": "CWE-285",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Incorrect Privilege Assignment",
"cweId": "CWE-266",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.344685",
"name": "VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/?ctiid.344685",
"name": "VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.745579",
"name": "Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 5.5
}
}
],
"timeline": [
{
"time": "2026-02-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-02-06T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-02-06T15:28:52.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "nmmorette (VulDB User)",
"type": "reporter"
}
]
}
}
}