CVE-2021-32862— nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-32862
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths
Source: NVD (National Vulnerability Database)
Vulnerability Description
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
nbconvert 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
nbconvert是Project Jupyter开源的一个格式转换库。将 Jupyter .ipynb 笔记本文档文件转换为另一种静态格式,包括 HTML、LaTeX、PDF、Markdown 等。 nbconvert 6.3之前版本存在跨站脚本漏洞,该漏洞源于当使用nbconvert生成用户可控笔记本的HTML版本时,如果这些HTML笔记本由Web服务器(例如:nbviewer)提供服务,有可能注入任意的HTML,从而导致跨站脚本(XSS)漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-32862
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-32862
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: jupyter
- CVE-2026-40171
Jupyter Notebook and JupyterLab token theft via stored XSS i - CVE-2026-39378
nbconvert has an Arbitrary File Read via Path Traversal in H - CVE-2026-39377
nbconvert has an Arbitrary File Write via Path Traversal in - CVE-2025-53000
nbconvert has an uncontrolled search path that leads to unau - CVE-2025-30167
Jupyter Core on Windows Has Uncontrolled Search Path Element
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2021-32862
No comments yet