Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable handler with low complexity; victim must be authenticated to Jupyter (PR:L) and must navigate to the malicious nbconvert URL (UI:R); kernel RCE crosses a trust boundary so S:C with full C/I/A impact.
Primary rating from Vendor (https://github.com/jupyter-server/jupyter_server).
CVSS VectorVendor: https://github.com/jupyter-server/jupyter_server
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 4,812 pypi packages depend on jupyter-server (500 direct, 4,393 indirect)
Ecosystem-wide dependent count for version 2.20.0.
DescriptionCVE.org
The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy.
Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE.
Impact
An authenticated victim who navigates to /nbconvert/html/<path> containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin.
Patches
Fixed in v2.20.0, commit 6cbee8d
Workarounds
For deployments where editing the installed jupyter_server is impractical (containerized builds, read-only images), adding this to jupyter_server_config.py has the same effect as the patch above without touching source files:
import jupyter_server.nbconvert.handlers as _nb
def _csp(self):
return super(type(self), self).content_security_policy + "; sandbox allow-scripts"
_nb.NbconvertFileHandler.content_security_policy = property(_csp)
_nb.NbconvertPostHandler.content_security_policy = property(_csp)AnalysisAI
Stored cross-site scripting in jupyter_server's nbconvert HTTP handlers allows a malicious notebook to execute JavaScript in the Jupyter origin, leading to session token theft, full /api/* control, and kernel remote code execution. The NbconvertFileHandler and NbconvertPostHandler render notebook-authored HTML without a CSP sandbox directive, and combined with HTMLExporter's non-sanitizing default, any display_data HTML payload runs with the victim's authority. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a target running jupyter_server <= 2.19.0 with the /nbconvert/html/ or /nbconvert/ POST endpoints reachable (default in JupyterLab, Notebook 7, and JupyterHub user servers), (2) the attacker's ability to place a malicious .ipynb file at a path the victim can browse - via shared filesystem, shared JupyterHub directory, collaboration tool, or social-engineered download - and (3) an authenticated victim user (the description states 'authenticated victim') who navigates to /nbconvert/html/<path> for the malicious notebook, which provides the UI:A requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H yields 9.3 (Critical) and is internally consistent with the description: network-reachable handler, low complexity, an authenticated user (PR:L) must click or navigate to an attacker-crafted notebook path (UI:A), and successful exploitation pivots to full kernel RCE which justifies high VC/VI/VA and the SC/SI/SA scope-change ratings since the kernel process is a separate trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker authors a Jupyter notebook whose display_data cell output contains an HTML payload with a script that reads document.cookie and calls /api/sessions or /api/kernels to spawn a kernel and execute shell commands. They share the .ipynb via a shared volume, JupyterHub team folder, Git pull request, or email attachment, then trick a logged-in user into clicking /nbconvert/html/<path-to-notebook>; on render, the script runs in the Jupyter origin, exfiltrates the auth token to an attacker domain, and runs arbitrary Python through the kernel as the victim's OS user. … |
| Remediation | Vendor-released patch: upgrade jupyter_server to 2.20.0 or later (pip install --upgrade 'jupyter-server>=2.20.0'), which adds the 'sandbox allow-scripts' directive to the CSP on /nbconvert/ endpoints by default via the new ServerApp.nbconvert_csp_sandbox setting; the change is in commit 6cbee8d (https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd) and documented in advisory GHSA-fcw5-x6j4-ccmp. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Jupyter Server instances and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38347
GHSA-fcw5-x6j4-ccmp