CVE-2026-6658

The CVE-2026-6658 issue affects jupyter/nbconvert versions <= 7.17.0. The vulnerability arises because the data_mermaid block in share/templates/lab/base.html.j2 renders text/vnd.mermaid cell output directly into HTML without escaping, enabling Cross-site Scripting (XSS) by breaking out of the...

CVE-2026-6658 Cross-site Scripting (XSS) in jupyter/nbconvert

A vulnerability in jupyter/nbconvert versions tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export...

OESA-2026-2196 python-nbconvert security update

The nbconvert tool, jupyter nbconvert, converts notebooks to various other formats via Jinja templates. The nbconvert tool allows you to convert an .ipynb notebook file into various static formats including HTML, LaTeX, PDF, Reveal JS, Markdown md, ReStructured Text rst and executable script...

a-mailx (=0.1.0), aepsych (>=0.3.0 <=0.4.0) +182 more potentially affected by CVE-2026-39377 via nbconvert (>=6.5.0 <=7.17.0)

nbconvert PYPI version =6.5.0, =0.3.0, =0.9.5, =0.1.0, =1.0.1, =1.0.1, =0.0.1, =1.0.0, =0.1.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.1.10, =0.1.20 and more Source cves: CVE-2026-39377 Source advisory: OSV:GHSA-4C99-QJ7H-P3VG...

EUVD-2026-24023

nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames...

a-mailx (=0.1.0), almax-common (>=0.9.5 <=1.0.2.dev20240601170722) +69 more potentially affected by CVE-2026-39377 via nbconvert (>=7.0.0 <=7.17.0)

nbconvert PYPI version =7.0.0, =0.9.5, =1.0.1, =1.0.1, =0.1.0, =0.0.1, =0.1.0, =0.1.0, =0.1.10, =0.0.15, =0.1.3, =3.0.0, =0.0.1, =0.0.2 - fashiontrendforecasting =0.1.0 and more Source cves: CVE-2026-39377 Source advisory: SNYK:PYTHON-NBCONVERT-16115368...

CVE-2026-39378 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

PT-2026-33878

Name of the Vulnerable Software and Affected Versions nbconvert versions 6.5 through 7.17.0 Description The nbconvert tool converts Jupyter notebooks to various formats using Jinja templates. A path traversal issue exists where the ExtractAttachmentsPreprocessor function passes attachment filenam...

Linux Distros Unpatched Vulnerability : CVE-2026-39378

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when...

Linux Distros Unpatched Vulnerability : CVE-2026-39377

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file...

CVE-2025-53000

A flaw was found in nbconvert, specifically in the jupyter nbconvert tool on Windows. A third party can exploit this vulnerability by creating a malicious inkscape.bat file in a directory. When a user then converts a Jupyter notebook containing SVG output to a PDF from this directory, the malicio...

Linux Distros Unpatched Vulnerability : CVE-2025-53000

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6...

Uncontrolled Search Path Element

Overview Affected versions of this package are vulnerable to Uncontrolled Search Path Element due to unsafe executable resolution when exporting notebooks containing SVG output to PDF. During export, the svg2pdf.py preprocessor resolves the inkscape executable using shutil.which, which on Windows...

a-mailx (=0.1.0), almax-common (>=0.9.5 <=1.0.2.dev20240601170722) +67 more potentially affected by CVE-2025-53000 via nbconvert (>=7.0.0 <=7.16.6)

nbconvert PYPI version =7.0.0, =0.9.5, =1.0.1, =1.0.1, =0.1.0, =0.0.1, =0.1.0, =0.1.0, =0.1.10, =0.0.15, =0.1.3, =3.0.0, =0.0.1, =0.0.2 - fashiontrendforecasting =0.1.0 and more Source cves: CVE-2025-53000 Source advisory: SNYK:PYTHON-NBCONVERT-14463457...

CVE-2025-53000 nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution...

CVE-2025-53000

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution...

EUVD-2022-0161

Malicious code in bioql PyPI...

Fedora 38 : python-nbclient / python-nbconvert (2022-b910e3473f)

The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2022-b910e3473f advisory. New versions of nbclient and nbconvert. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus ha...

abracadabra (>=0.0.0 <=0.0.7), ai-economist (>=1.0.0 <=1.7.1) +161 more potentially affected by CVE-2021-32862 via nbconvert (>=4.2.0 <=6.3.0)

nbconvert PYPI version =4.2.0, =0.0.0, =1.0.0, =1.3.4, =1.0.0, =1.0.1, =1.13.0.post1, =1.0.0, =0.1.0.dev2021118, =0.0.0, =0.3.4, =0.1.0rc1, =0.0.1, =0.2.1 - combnetdep =1.0.0 and more Source cves: CVE-2021-32862 Source advisory: OSV:PYSEC-2022-249...