CVE-2026-6658

Name of the Vulnerable Software and Affected Versions nbconvert versions prior to 7.17.1

Description An issue exists where text/vnd.mermaid output in HTML exports is not properly sanitized. Specifically, the data mermaid block in share/templates/lab/base.html.j2 renders this output directly into HTML without escaping. This allows an attacker to break out of the <pre> tag and inject arbitrary HTML or JavaScript, which is then executed in the context of users viewing the exported HTML file.

Recommendations Update nbconvert to a version later than 7.17.0.