PT-2026-53454 · Pypi · Jupyter Server
Published
2026-06-29
·
Updated
2026-06-29
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
The nbconvert HTTP handlers in jupyter server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their
Content-Security-Policy.Combined with
nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE.Impact
An authenticated victim who navigates to
/nbconvert/html/<path> containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin.Patches
Fixed in v2.20.0, commit [6cbee8d](https://github.com/jupyter-server/jupyter server/commit/6cbee8d65e71abac851c4492fea987ad080580bd)
Workarounds
For deployments where editing the installed jupyter server is impractical (containerized builds, read-only images), adding this to jupyter server config.py has the same effect as the patch above without touching source files:
import jupyter server.nbconvert.handlers as nb
def csp(self):
return super(type(self), self).content security policy + "; sandbox allow-scripts"
nb.NbconvertFileHandler.content security policy = property( csp)
nb.NbconvertPostHandler.content security policy = property( csp)Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jupyter Server