CVE-2026-44727

UNKNOWN 0.0

Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE. This vulnerability is fixed in 2.20.

CWE	CWE-79 CWE-1021
Vendor	jupyter-server
Product	jupyter_server
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for jupyter-server jupyter_server

Be the first to know when new unknown vulnerabilities affecting jupyter-server jupyter_server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

jupyter-server / jupyter_server

< 2.20

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp github.com: https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd