Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-61669 (GCVE-0-2025-61669)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:28 – Updated: 2026-05-05 20:16
VLAI
EPSS
Title
jupyter_server next parameter open redirect can redirect users to external domains
Summary
Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/jupyter-server/jupyter_server/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jupyter-server | jupyter_server |
Affected:
<= 2.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T20:16:38.460105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T20:16:59.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jupyter_server",
"vendor": "jupyter-server",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T15:28:43.833Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
}
],
"source": {
"advisory": "GHSA-qh7q-6qm3-653w",
"discovery": "UNKNOWN"
},
"title": "jupyter_server next parameter open redirect can redirect users to external domains"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61669",
"datePublished": "2026-05-05T15:28:43.833Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2026-05-05T20:16:59.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-61669",
"date": "2026-05-27",
"epss": "0.0001",
"percentile": "0.01084"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-61669\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-05T16:16:10.133\",\"lastModified\":\"2026-05-11T13:01:45.537\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.18.0\",\"matchCriteriaId\":\"E0B6C703-7E28-4F23-9878-E157975C32A4\"}]}]}],\"references\":[{\"url\":\"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61669\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-05T20:16:38.460105Z\"}}}], \"references\": [{\"url\": \"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-05T20:16:10.899Z\"}}], \"cna\": {\"title\": \"jupyter_server next parameter open redirect can redirect users to external domains\", \"source\": {\"advisory\": \"GHSA-qh7q-6qm3-653w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"jupyter-server\", \"product\": \"jupyter_server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.17.0\"}]}], \"references\": [{\"url\": \"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w\", \"name\": \"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-05T15:28:43.833Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-61669\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-05T20:16:59.332Z\", \"dateReserved\": \"2025-09-29T20:25:16.180Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-05T15:28:43.833Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-61669
Vulnerability from fkie_nvd - Published: 2026-05-05 16:16 - Updated: 2026-05-11 13:01
Severity
Summary
Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jupyter | jupyter_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0B6C703-7E28-4F23-9878-E157975C32A4",
"versionEndExcluding": "2.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0."
}
],
"id": "CVE-2025-61669",
"lastModified": "2026-05-11T13:01:45.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-05T16:16:10.133",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-QH7Q-6QM3-653W
Vulnerability from github – Published: 2026-05-05 16:32 – Updated: 2026-05-08 13:48
VLAI
Summary
Jupyter Server has an open redirection vulnerability in `next` query parameter
Details
Summary
The ?next=... URL query parameter has an open redirection vulnerability. In jupyter_server<=2.17.0, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.
Details
The vulnerability is caused by insufficient validation in the LoginFormHandler._redirect_safe() method.
- Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76
This vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them.
PoC
- Navigate to
http://localhost:8888/login?next=///google.com - Observe that the user is redirected to
google.comdespite it being an external domain.
The external domain passed in the ?next parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as prod.company.com may be redirected to a look-alike URL such as prod.company.dev.
Impact
This vulnerability affects all users, especially enterprise users who work with sensitive/confidential data.
Patches
Jupyter Server 2.18+
Workaround
None.
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.17.0"
},
"package": {
"ecosystem": "PyPI",
"name": "jupyter-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61669"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T16:32:48Z",
"nvd_published_at": "2026-05-05T16:16:10Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `?next=...` URL query parameter has an open redirection vulnerability. In `jupyter_server\u003c=2.17.0`, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.\n\n### Details\n\nThe vulnerability is caused by insufficient validation in the `LoginFormHandler._redirect_safe()` method.\n\n- Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76\n\nThis vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them.\n\n### PoC\n\n1. Navigate to `http://localhost:8888/login?next=///google.com`\n2. Observe that the user is redirected to `google.com` despite it being an external domain.\n\nThe external domain passed in the `?next` parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as `prod.company.com` may be redirected to a look-alike URL such as `prod.company.dev`. \n\n### Impact\n\nThis vulnerability affects all users, especially enterprise users who work with sensitive/confidential data.\n\n### Patches\n\nJupyter Server 2.18+\n\n### Workaround\n\nNone.",
"id": "GHSA-qh7q-6qm3-653w",
"modified": "2026-05-08T13:48:27Z",
"published": "2026-05-05T16:32:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61669"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter-server/jupyter_server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jupyter Server has an open redirection vulnerability in `next` query parameter"
}
OPENSUSE-SU-2026:10710-1
Vulnerability from csaf_opensuse - Published: 2026-05-06 00:00 - Updated: 2026-05-06 00:00Summary
python311-jupyter-server-2.18.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python311-jupyter-server-2.18.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the python311-jupyter-server-2.18.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10710
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-jupyter-server-2.18.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-jupyter-server-2.18.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10710",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10710-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-61669 page",
"url": "https://www.suse.com/security/cve/CVE-2025-61669/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35397 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35397/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40110 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40110/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40934 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40934/"
}
],
"title": "python311-jupyter-server-2.18.1-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-06T00:00:00Z",
"generator": {
"date": "2026-05-06T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10710-1",
"initial_release_date": "2026-05-06T00:00:00Z",
"revision_history": [
{
"date": "2026-05-06T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.aarch64",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.aarch64",
"product_id": "python311-jupyter-server-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.aarch64",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.aarch64",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.aarch64",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.aarch64",
"product_id": "python313-jupyter-server-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.aarch64",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.aarch64",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.aarch64",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.aarch64",
"product_id": "python314-jupyter-server-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.aarch64",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.aarch64",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.ppc64le",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.ppc64le",
"product_id": "python311-jupyter-server-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.ppc64le",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.ppc64le",
"product_id": "python313-jupyter-server-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.ppc64le",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.ppc64le",
"product_id": "python314-jupyter-server-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.s390x",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.s390x",
"product_id": "python311-jupyter-server-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.s390x",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.s390x",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.s390x",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.s390x",
"product_id": "python313-jupyter-server-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.s390x",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.s390x",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.s390x",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.s390x",
"product_id": "python314-jupyter-server-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.s390x",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.s390x",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.x86_64",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.x86_64",
"product_id": "python311-jupyter-server-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.x86_64",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.x86_64",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.x86_64",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.x86_64",
"product_id": "python313-jupyter-server-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.x86_64",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.x86_64",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.x86_64",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.x86_64",
"product_id": "python314-jupyter-server-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.x86_64",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.x86_64",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61669",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-61669"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-61669",
"url": "https://www.suse.com/security/cve/CVE-2025-61669"
},
{
"category": "external",
"summary": "SUSE Bug 1264161 for CVE-2025-61669",
"url": "https://bugzilla.suse.com/1264161"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-61669"
},
{
"cve": "CVE-2026-35397",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35397"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named \"test\", the API permits access to a sibling directory named \"testtest\" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named \"user1\" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. \n\nVersion 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35397",
"url": "https://www.suse.com/security/cve/CVE-2026-35397"
},
{
"category": "external",
"summary": "SUSE Bug 1264212 for CVE-2026-35397",
"url": "https://bugzilla.suse.com/1264212"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-35397"
},
{
"cve": "CVE-2026-40110",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40110"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python\u0027s re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40110",
"url": "https://www.suse.com/security/cve/CVE-2026-40110"
},
{
"category": "external",
"summary": "SUSE Bug 1264213 for CVE-2026-40110",
"url": "https://bugzilla.suse.com/1264213"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-40110"
},
{
"cve": "CVE-2026-40934",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40934"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40934",
"url": "https://www.suse.com/security/cve/CVE-2026-40934"
},
{
"category": "external",
"summary": "SUSE Bug 1264214 for CVE-2026-40934",
"url": "https://bugzilla.suse.com/1264214"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-40934"
}
]
}
PYSEC-2026-67
Vulnerability from pysec - Published: 2026-05-05 16:16 - Updated: 2026-05-20 09:19
VLAI
Details
Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in LoginFormHandler._redirect_safe(), which allows redirects to arbitrary external domains via values such as ///example.com. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.
Severity
6.1 (Medium)
Impacted products
| Name | purl | jupyter-server | pkg:pypi/jupyter-server |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jupyter-server",
"purl": "pkg:pypi/jupyter-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.18.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.0",
"0.0.1",
"0.0.2",
"0.0.3",
"0.0.4",
"0.0.5",
"0.1.0",
"0.1.1",
"0.2.0",
"0.2.1",
"0.3.0",
"1.0.0",
"1.0.0rc0",
"1.0.0rc1",
"1.0.0rc10",
"1.0.0rc11",
"1.0.0rc12",
"1.0.0rc13",
"1.0.0rc14",
"1.0.0rc15",
"1.0.0rc16",
"1.0.0rc2",
"1.0.0rc3",
"1.0.0rc4",
"1.0.0rc5",
"1.0.0rc6",
"1.0.0rc7",
"1.0.0rc8",
"1.0.0rc9",
"1.0.1",
"1.0.10",
"1.0.11",
"1.0.2",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.0.8",
"1.0.9",
"1.1.0",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.12.0",
"1.12.1",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.13.4",
"1.13.5",
"1.15.0",
"1.15.1",
"1.15.2",
"1.15.3",
"1.15.4",
"1.15.5",
"1.15.6",
"1.16.0",
"1.17.0",
"1.17.1",
"1.18.0",
"1.18.1",
"1.19.0",
"1.19.1",
"1.2.0",
"1.2.1",
"1.2.2",
"1.2.3",
"1.21.0",
"1.23.0",
"1.23.1",
"1.23.2",
"1.23.3",
"1.23.4",
"1.23.5",
"1.23.6",
"1.24.0",
"1.3.0",
"1.4.0",
"1.4.1",
"1.5.0",
"1.5.1",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.6.4",
"1.7.0",
"1.7.0a1",
"1.7.0a2",
"1.8.0",
"1.9.0",
"2.0.0",
"2.0.0a0",
"2.0.0a1",
"2.0.0a2",
"2.0.0b0",
"2.0.0b1",
"2.0.0rc0",
"2.0.0rc1",
"2.0.0rc2",
"2.0.0rc3",
"2.0.0rc4",
"2.0.0rc5",
"2.0.0rc6",
"2.0.0rc7",
"2.0.0rc8",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.1.0",
"2.10.0",
"2.10.1",
"2.11.0",
"2.11.1",
"2.11.2",
"2.12.0",
"2.12.1",
"2.12.2",
"2.12.3",
"2.12.4",
"2.12.5",
"2.13.0",
"2.14.0",
"2.14.1",
"2.14.2",
"2.15.0",
"2.16.0",
"2.17.0",
"2.2.0",
"2.2.1",
"2.3.0",
"2.4.0",
"2.5.0",
"2.6.0",
"2.7.0",
"2.7.1",
"2.7.2",
"2.7.3",
"2.8.0",
"2.9.0",
"2.9.1"
]
}
],
"aliases": [
"CVE-2025-61669",
"GHSA-qh7q-6qm3-653w"
],
"details": "Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.",
"id": "PYSEC-2026-67",
"modified": "2026-05-20T09:19:02.865171Z",
"published": "2026-05-05T16:16:10.133Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…