CVE-2021-41134
8.7 HIGHnbdime provides tools for diffing and merging of Jupyter Notebooks
Published: 2021-11-03 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.7 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| jupyter | nbdime, nbdime-jupyterlab |
Description
nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41134
- [Patch]https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
- [Other]https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
- [Patch]https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
- [Other]https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
Related CVEs
Same vendor
- CVE-2026-5422 — A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_p... (8.1 HIGH)
- CVE-2026-40864 — JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks (5.4 MEDIUM)
- CVE-2026-42557 — jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture (9.6 CRITICAL)
- CVE-2026-42266 — JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture (8.8 HIGH)
- CVE-2021-39159 — BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code reposi... (9.6 CRITICAL)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)