VYPR

Jupyter Server

by Jupyter

Source repositories

CVEs (10)

  • CVE-2026-5422HigJun 2, 2026
    risk 0.53cvss 8.1epss 0.00

    A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_path() function within jupyter_server/services/contents/fileio.py. The check uses startswith(root) without appending a trailing path separator,…

  • CVE-2026-35397HigMay 5, 2026
    risk 0.50cvss 8.8epss 0.01

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the…

  • CVE-2026-6657MedJun 3, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the…

  • CVE-2026-40110HigMay 5, 2026
    risk 0.40cvss 7.3epss 0.00

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the…

  • CVE-2026-40934MedMay 5, 2026
    risk 0.37cvss 6.8epss 0.00

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their…

  • CVE-2024-35225Jun 11, 2024
    risk 0.00cvss epss 0.00

    Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting (XSS) issue. The `/proxy` endpoint…

  • CVE-2024-28179Mar 20, 2024
    risk 0.00cvss epss 0.01

    Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets,…

  • CVE-2022-21697Jan 25, 2022
    risk 0.00cvss epss 0.01

    Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is…

  • CVE-2020-26275Dec 21, 2020
    risk 0.00cvss epss 0.01

    The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. In Jupyter Server before version 1.1.1, an open redirect vulnerability could cause the jupyter server to redirect…

  • CVE-2020-26232Nov 24, 2020
    risk 0.00cvss epss 0.01

    Jupyter Server before version 1.0.6 has an Open redirect vulnerability. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are technically affected, however, these maliciously crafted links can only be reasonably…