PT-2026-53454 · Pypi · Jupyter Server

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v4.0

9.3

Crítica

VetorAV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
The nbconvert HTTP handlers in jupyter server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy.
Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE.

Impact

An authenticated victim who navigates to /nbconvert/html/<path> containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin.

Patches

Fixed in v2.20.0, commit [6cbee8d](https://github.com/jupyter-server/jupyter server/commit/6cbee8d65e71abac851c4492fea987ad080580bd)

Workarounds

For deployments where editing the installed jupyter server is impractical (containerized builds, read-only images), adding this to jupyter server config.py has the same effect as the patch above without touching source files:
import jupyter server.nbconvert.handlers as nb

def csp(self):
  return super(type(self), self).content security policy + "; sandbox allow-scripts"

 nb.NbconvertFileHandler.content security policy = property( csp)
 nb.NbconvertPostHandler.content security policy = property( csp)

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-366

Produtos afetados

Jupyter Server