CVE-2026-52798

Gogs (self-hosted Git service) is affected by CVE-2026-52798: prior to 0.14.3, .ipynb previews are sanitized server-side, but the client-side re-rendering with marked() on .nb-markdown-cell can regenerate javascript: links, enabling Stored XSS when a victim clicks a crafted link in an attacker-su...

CVE-2026-52798

Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitizeipynb, the inserted content is re-rendered on the client side without sanitization using marked on elements with the .nb-markdown-cell class. During this...

GHSA-JQ8V-RMF6-65JW Gogs has Stored XSS in `.ipynb` Preview

Summary Although .ipynb previews are sanitized on the server side via /-/api/sanitizeipynb, the inserted content is re-rendered on the client side without sanitization using marked on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can ...

GHSA-XMW9-6R43-X9WW SiYuan has directory traversal within its publishing service

Details The /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. PoC python !/usr/bin/env python3 """POC: SiYuan /api/file/readDir 未鉴权目录遍历""" import requests, json, sys def poctarget: base = target.rstrip"/" url = f"base/api/file/readDir"...

CVE-2024-10383 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab VSCode Fork

An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and 17.6,...

SUSE CVE-2021-32798

The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim...

SUSE CVE-2015-6938

Cross-site scripting XSS vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site reque...

USN-4855-1 ipython vulnerability

It was discovered that IPython did not properly sanitize certain input. If a user were tricked into opening a specially crafted notebook file, a remote attacker could possibly use this issue to execute arbitrary code...

The vulnerability of the visual analysis tool IBM i2 Analyst’s Notebook lies in the fact that when an operation is performed outside the buffer in memory, it allows a hacker to trigger a service failure or execute arbitrary code.

The vulnerability of the visual analysis tool IBM i2 Analyst’s Notebook relates to the execution of operations outside the buffer boundaries in memory. Exploiting this vulnerability could allow an attacker to trigger a service failure or execute arbitrary code using a specially created file with...

Visual Studio Code Python Extension Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with...

MGASA-2018-0182 Updated jupyter-notebook packages fix security vulnerability

CVE-2018-8768: In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous...

FreeBSD : Jupyter Notebook -- vulnerability (b3edc7d9-9af5-4daf-88f1-61f68f4308c2)

MITRE reports : In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. C Tenable Network Security, Inc. The descriptive tex...

UBUNTU-CVE-2015-6938

Cross-site scripting XSS vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site reque...