CVE-2018-8768
CVE-2018-8768 is a high-severity vulnerability in Jupyter Notebook with a CVSS 3.x base score of 7.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 1% (62nd percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Jupyter Notebook
- Published:
- Last modified:
Description
In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
Frequently asked questions
- What is CVE-2018-8768?
- In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
- How severe is CVE-2018-8768?
- CVE-2018-8768 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-8768 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (62nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2018-8768?
- CVE-2018-8768 affects Jupyter Notebook. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2018-8768?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2018-8768 published?
- CVE-2018-8768 was published on 2018-03-18 and last updated on 2026-06-17.
References
- http://openwall.com/lists/oss-security/2018/03/15/2
- https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html
Affected products (1)
- cpe:2.3:a:jupyter:notebook:*:*:*:*:*:*:*:*
More vulnerabilities in Jupyter Notebook
- CVE-2021-32798 — Critical (CVSS 10.0): The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted…
- CVE-2026-42557 — Critical (CVSS 9.6): jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook…
- CVE-2024-43805 — High (CVSS 7.6): jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook…
- CVE-2024-22421 — High (CVSS 7.6): JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and…
- CVE-2022-24758 — High (CVSS 7.5): The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9,…
- CVE-2015-7337 — Medium (CVSS 6.8): The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute…