CVE-2026-6658
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
A vulnerability in jupyter/nbconvert versions up to 7.17.0 allows Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag.
Risk Assessment
The risk for the organization is the potential execution of arbitrary JavaScript in the context of users viewing the exported HTML file, which could lead to data theft, session hijacking, or further attacks on users.
Recommendation
It is recommended to immediately update jupyter/nbconvert to a version newer than 7.17.0, which includes a fix for this vulnerability. If an update is not possible, avoid rendering notebooks with untrusted data in HTML format.
Original NVD description (English source)
A vulnerability in jupyter/nbconvert versions <= 7.17.0 allows for Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export.

