CVE-2026-44727

Description

The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their `Content-Security-Policy`. Combined with `nbconvert.HTMLExporter`'s default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE. ### Impact An authenticated victim who navigates to `/nbconvert/html/<path>` containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin. ### Patches Fixed in v2.20.0, commit [6cbee8d](https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd) ### Workarounds For deployments where editing the installed jupyter_server is impractical (containerized builds, read-only images), adding this to jupyter_server_config.py has the same effect as the patch above without touching source files: ``` import jupyter_server.nbconvert.handlers as _nb def _csp(self): return super(type(self), self).content_security_policy + "; sandbox allow-scripts" _nb.NbconvertFileHandler.content_security_policy = property(_csp) _nb.NbconvertPostHandler.content_security_policy = property(_csp) ```

How to fix CVE-2026-44727

To remediate CVE-2026-44727, upgrade the affected package to a fixed version below.

• —upgrade to 2.20.0 or later

Is CVE-2026-44727 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-44727.

Affected packages (1)

• from 0, < 2.20.0

CVSS scores

References (3)

• PATCHgithub.com/jupyter-server/jupyter_server
• WEBgithub.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd
• WEBgithub.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp