Lucene search
K

16 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:34 a.m.12 views

CVE-2026-6657

A flaw was found in jupyter-server. A remote attacker can bypass Cross-Origin Resource Sharing CORS origin validation when the alloworiginpat configuration is used. This vulnerability allows malicious domains to pass validation against patterns intended for trusted domains. This could lead to...

8.8CVSS5.7AI score0.00197EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/06/05 3:16 a.m.12 views

SUSE CVE-2026-6657

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

8.8CVSS6AI score0.00197EPSS
Exploits1References3
NVD
NVD
added 2026/06/03 4:16 p.m.9 views

CVE-2026-6657

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

8.8CVSS0.00197EPSS
Exploits1References1
CVE
CVE
added 2026/06/03 3:6 p.m.25 views

CVE-2026-6657

CVE-2026-6657 affects jupyter-server versions 1.12.0–2.17.0. Root cause: use of re.match() for Origin validation in allow_origin_pat, allowing attacker-controlled domains to bypass CORS checks (e.g., trusted.example.com.evil.com) across CORS headers, WebSocket, referer validation, and login redir...

8.8CVSS6.6AI score0.00197EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/03 3:6 p.m.11 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

6.1CVSS6AI score0.00197EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/03 3:6 p.m.44 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

6.1CVSS0.00197EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-6657

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is...

8.8CVSS6.6AI score0.00197EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/18 2:19 p.m.8 views

CVE-2026-40110

A flaw was found in Jupyter Server. The Origin header validation, which uses Python's re.match function, does not correctly validate incoming origins against allowed patterns. This allows a remote attacker to bypass Cross-Origin Resource Sharing CORS restrictions by crafting a malicious domain th...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References7
Debian CVE
Debian CVE
added 2026/05/05 9:29 p.m.10 views

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.8AI score0.00333EPSS
Exploits0
Cvelist
Cvelist
added 2026/05/05 9:29 p.m.41 views

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS0.00333EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/05 9:29 p.m.7 views

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/05/05 9:29 p.m.12 views

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.8AI score0.00333EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/05 4:54 p.m.9 views

Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)

Jupyter Server uses re.match to validate the Origin header against the alloworiginpat configuration. Since re.match only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/05/05 4:54 p.m.10 views

EUVD-2026-27510

Jupyter Server has a CORS Origin Validation Bypass via re.match in alloworiginpat from huntr...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/05 4:54 p.m.8 views

Regular Expression without Anchors

Overview Affected versions of this package are vulnerable to Regular Expression without Anchors through the alloworiginpat checks in websocket.py, login.py. An attacker can bypass CORS, WebSocket origin checks, and login redirect validation by supplying an Origin or Referer value that matches the...

8.2CVSS5.7AI score0.00333EPSS
Exploits0References2
Huntr
Huntr
added 2026/02/26 3:6 p.m.11 views

CWE-346: CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat`

This report is not public...

8.8CVSS6.4AI score0.00197EPSS
Exploits1
Rows per page
Query Builder