CVE-2026-33587

10.0 CRITICAL
Published: May 07, 2026 Modified: May 07, 2026
View on NVD

Description

Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations.

AI Explanation

### 1. Plain-Language Summary This vulnerability exists in Open Notebook v1.8.3 because it fails to properly sanitize user input in its "user-created transformations" feature. This allows attackers to inject malicious template code that executes arbitrary Python commands, potentially enabling full control of the underlying Docker container. ### 2. Who Is Affected - **Product**: Open Notebook - **Affected Version**: v1.8.3 - **Scope**: Users running the application in a

Generated: 2026-06-01 00:54

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/lfnovo/open-notebook/security/advisories/GHSA-f35w-wx37-26q7
Source: a6d3dc9e-0591-4a13-bce7-0f5b31ff6158
Vendor Advisory

1 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
0.1%
29th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20

Affected Vendors

lfnovo

Related CVEs

CVE-2026-46546 N/A
CVE-2026-44634 N/A
CVE-2026-53675 4.3
CVE-2026-53674 7.1
CVE-2026-53673 8.1