Improper Origin Validation

Bokeh is vulnerable to improper origin validation. The vulnerability is due to flawed allowlist matching of the WebSocket Origin header, which allows an attacker to register a look-alike domain or subdomain that bypasses origin checks and establish a WebSocket connection to the Bokeh server...

SUSE CVE-2026-21883

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

CVE-2026-21883

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

EUVD-2026-1036

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

CVE-2026-21883

Bokeh server (Python) CVE-2026-21883 affects 3.8.1 and earlier. Incomplete origin validation in WebSockets due to a flawed host matching in the allowlist enables an attacker to lure a victim to a malicious domain (e.g., dashboard.corp.attacker.com) and initiate a WebSocket connection, potentially...

CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

PT-2026-2119

Name of the Vulnerable Software and Affected Versions Bokeh versions 3.8.1 and below Description Bokeh is an interactive visualization library written in Python. If a server is configured with an allowlist, an attacker can register a domain and lure a victim to visit it. The malicious site can th...

bokeh 安全漏洞

bokeh is a Python library for data visualization from Bokeh open source. A security vulnerability exists in bokeh 3.8.1 and earlier versions, which stems from a misconfiguration of the allowed list and could lead to an attacker interacting with the Bokeh server...

Missing Origin Validation in WebSockets

Overview bokeh is an Interactive plots and applications in the browser from Python Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the matchhost function in the server/util.py file. An attacker can gain unauthorized access to sensitive data or modif...

GHSA-793V-589G-574V Bokeh server applications have Incomplete Origin Validation in WebSockets

This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...

abc-network (>=0.1.0 <=0.1.3), accelerometry-annotator (>=3.2.0 <=3.4.2) +192 more potentially affected by CVE-2026-21883 via bokeh (>=3.0.0 <=3.8.1)

bokeh PYPI version =3.0.0, =0.1.0, =3.2.0, =0.2.1, =2.3.0, =1.0.0, =3.2.2, =0.3.1.1, =1.77.5, =0.2.0, =0.1.1, =0.1.0, =1.4.0, =1.0.1, =1.2.3 and more Source cves: CVE-2026-21883 Source advisory: SNYK:PYTHON-BOKEH-14894275...

Bokeh server applications have Incomplete Origin Validation in WebSockets

This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...

abc-network (>=0.1.0 <=0.1.3), accelerometry-annotator (>=3.2.0 <=3.4.2) +481 more potentially affected by CVE-2026-21883 via bokeh (>=0.12.1 <=3.8.1)

bokeh PYPI version =0.12.1, =0.1.0, =3.2.0, =0.1.33, =0.1.0.dev24560066971, =0.2.1, =0.8.8, =0.0.1, =24.10.0a8, =0.1.0, =1.3.4, =2.3.0, =1.3.0, =0.0.7, =0.1.10 and more Source cves: CVE-2026-21883 Source advisory: OSV:GHSA-793V-589G-574V...

Bokeh Watch Face - Customized SSL, Dynamic Code Loading, Exported components vulnerabilities

HackApp vulnerability scanner discovered that application Bokeh Watch Face published at the 'play' market has multiple vulnerabilities...

bokeh-masters.com vulnerability

Vulnerable URL: http://bokeh-masters.com/go.php?link=https://www.xssposed.org/ Details: Description| Value ---|--- Patched:| No Latest check for patch:| 30.07.2017 Vulnerability status:| Publicly disclosed Alexa Rank| 6055854 Google Pagerank| 0 VIP website status:| No Check bokeh-masters.com SSL...