CVE-2026-23528

EPSS 0.01%
Veröffentlicht 16.01.2026 16:44:28
Zuletzt bearbeitet 12.03.2026 18:29:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Anaconda ≫ Dask SwPlatformpython Version < 2026.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.022

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2

Vendor Advisory

https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-23528

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23528

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23528

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23528