CVE-2026-35397
Jupyter Server (versions ≤ 2.17.0) contains a path traversal flaw in its REST API (/api/contents) that lets an authenticated user access sibling directories whose names share a prefix with the configured root_dir. For example, a root_dir named test could expose testtest, enabling reading, writing...