By vendor

Jupyter vulnerabilities

Known CVEs affecting Jupyter products, prioritized by severity, with SEC.co remediation and detection guidance.

2 published vulnerabilities

  • CVE-2026-6657HIGH 8.8

    A flaw in Jupyter Server allows attackers to bypass its cross-origin request (CORS) validation by exploiting how the software validates the `Origin` header. When administrators configure allowed origins using the `allow_origin_pat` setting, the validation logic uses a partial string match rather than a complete one. This means an attacker can craft a domain like `trusted.example.com.evil.com` that will pass validation meant only for `trusted.example.com`. The vulnerability affects versions 1.12.0 through 2.17.0 and impacts CORS headers, WebSocket connections, referer checking, and login redirects, potentially enabling phishing, code execution, and unauthorized access to APIs.

  • CVE-2026-5422HIGH 8.1

    A flaw in Jupyter Server version 2.17.0 allows authenticated users to read and write files outside their intended directory boundaries. The vulnerability stems from an incomplete security check that fails to properly validate file path requests, allowing attackers to access sibling directories and potentially sensitive files in shared hosting environments. An attacker with login credentials can exploit this to breach confidentiality and integrity of data across directory structures that were meant to be isolated.