CVE-2026-28201

UNKNOWN 0.0

SurrealDB Injection on Open Notebook

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.

CWE	CWE-20 CWE-917 CWE-352
Vendor	open notebook
Product	open notebook
Published	May 7, 2026
Last Updated	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for open notebook open notebook

Be the first to know when new unknown vulnerabilities affecting open notebook open notebook are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Open Notebook / Open Notebook

0 ≤ 1.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c

Credits

CERT-EU