Description
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
Exploit, Third Party Advisory x_refsource_misc
https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5
Scores
CVSS v3
10.0
EPSS
0.0023
EPSS Percentile
45.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Details
CWE
CWE-79
Status
published
Products (3)
jupyter/notebook
6.4.0
jupyter/notebook
5.7.0 - 5.7.11
pypi/notebook
0 - 5.7.11PyPI
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026