GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
12 advisories
JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request
High
CVE-2026-42266
was published
for
jupyterlab
(pip)
May 5, 2026
Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories
High
CVE-2026-35397
was published
for
jupyter-server
(pip)
May 5, 2026
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS
High
CVE-2026-40171
was published
for
@jupyter-notebook/help-extension
(npm)
Apr 30, 2026
nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
High
CVE-2025-53000
was published
for
nbconvert
(pip)
Dec 18, 2025
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Low
CVE-2025-59842
was published
for
jupyterlab
(pip)
Sep 26, 2025
Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
High
CVE-2025-30167
was published
for
jupyter_core
(pip)
Jun 4, 2025
jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"
High
CVE-2025-30370
was published
for
jupyterlab-git
(pip)
Apr 4, 2025
Predictable results in nanoid generation when given non-integer values
Moderate
CVE-2024-55565
was published
for
nanoid
(npm)
Dec 9, 2024
HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
High
CVE-2024-43805
was published
for
jupyterlab
(pip)
Aug 29, 2024
jupyter-scheduler's endpoint is missing authentication
Moderate
CVE-2024-28188
was published
for
jupyter-scheduler
(pip)
May 23, 2024
Jupyter Server Proxy's Websocket Proxying does not require authentication
Critical
CVE-2024-28179
was published
for
jupyter-server-proxy
(pip)
Mar 20, 2024
sanitize-html Information Exposure vulnerability
Moderate
CVE-2024-21501
was published
for
sanitize-html
(npm)
Feb 24, 2024
ProTip!
Advisories are also available from the
GraphQL API