CVE-2026-44727
- EPSS 0.23%
- Veröffentlicht 22.06.2026 19:56:56
- Zuletzt bearbeitet 30.06.2026 03:20:01
Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combine...
CVE-2026-6657
- EPSS 0.2%
- Veröffentlicht 03.06.2026 15:06:56
- Zuletzt bearbeitet 30.06.2026 19:01:13
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, ...
CVE-2026-5422
- EPSS 0.44%
- Veröffentlicht 02.06.2026 09:11:15
- Zuletzt bearbeitet 03.06.2026 17:09:31
A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_path() function within jupyter_server/services/contents/fileio.py. The check uses startswith(root) without appendi...
CVE-2026-40110
- EPSS 0.33%
- Veröffentlicht 05.05.2026 22:16:00
- Zuletzt bearbeitet 30.06.2026 03:19:15
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anch...
CVE-2026-40934
- EPSS 0.31%
- Veröffentlicht 05.05.2026 22:16:00
- Zuletzt bearbeitet 11.05.2026 13:00:39
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when...
CVE-2026-35397
- EPSS 0.58%
- Veröffentlicht 05.05.2026 20:16:38
- Zuletzt bearbeitet 30.06.2026 03:19:02
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin...
CVE-2025-61669
- EPSS 0.27%
- Veröffentlicht 05.05.2026 16:16:10
- Zuletzt bearbeitet 11.05.2026 13:01:45
Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary ...
CVE-2024-35178
- EPSS 0.7%
- Veröffentlicht 06.06.2024 16:15:11
- Zuletzt bearbeitet 21.11.2024 09:19:52
The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crac...
CVE-2023-49080
- EPSS 0.84%
- Veröffentlicht 04.12.2023 21:15:34
- Zuletzt bearbeitet 21.11.2024 08:32:46
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback...
CVE-2023-39968
- EPSS 0.59%
- Veröffentlicht 28.08.2023 21:15:07
- Zuletzt bearbeitet 21.11.2024 08:16:08
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which sh...