VYPR

apk package

wolfi/jupyter-base-notebook

pkg:apk/wolfi/jupyter-base-notebook

Vulnerabilities (21)

  • CVE-2026-45409MedJun 5, 2026
    affected < 7.5.6-r1fixed 7.5.6-r1

    Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t

  • CVE-2026-44432HigMay 13, 2026
    affected < 7.5.6-r1fixed 7.5.6-r1

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 7.5.6-r1fixed 7.5.6-r1

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-40171HigMay 6, 2026
    affected < 7.5.6-r0fixed 7.5.6-r0

    In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be ch

  • CVE-2026-41205HigApr 23, 2026
    affected < 7.5.5-r4fixed 7.5.5-r4

    Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable

  • CVE-2026-39892CriApr 8, 2026
    affected < 7.5.5-r4fixed 7.5.5-r4

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner

  • CVE-2026-34073MedMar 31, 2026
    affected < 7.5.5-r1fixed 7.5.5-r1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently

  • CVE-2026-25645Mar 25, 2026
    affected < 7.5.5-r1fixed 7.5.5-r1

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-4539LowMar 22, 2026
    affected < 7.5.5-r1fixed 7.5.5-r1

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit

  • CVE-2026-26007Feb 10, 2026
    affected < 7.5.3-r2fixed 7.5.3-r2

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-21441Jan 7, 2026
    affected < 7.5.2-r0fixed 7.5.2-r0

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-53000Dec 17, 2025
    affected < 0fixed 0

    The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized c

  • CVE-2025-66471Dec 5, 2025
    affected < 7.5.0-r1fixed 7.5.0-r1

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 7.5.0-r1fixed 7.5.0-r1

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-50182Jun 19, 2025
    affected < 7.4.3-r2fixed 7.4.3-r2

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 7.4.3-r2fixed 7.4.3-r2

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2024-47081MedJun 9, 2025
    affected < 7.4.3-r1fixed 7.4.3-r1

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-47287May 15, 2025
    affected < 7.4.2-r2fixed 7.4.2-r2

    Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo

  • CVE-2025-43859CriApr 24, 2025
    affected < 7.4.1-r1fixed 7.4.1-r1

    h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo

  • CVE-2025-27516Mar 5, 2025
    affected < 7.3.2-r2fixed 7.3.2-r2

    Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker nee

Page 1 of 2