Bug 2493377 (CVE-2026-6658) - CVE-2026-6658 nbconvert: nbconvert: Cross-site Scripting via unsanitized Mermaid output in HTML exports
Summary: CVE-2026-6658 nbconvert: nbconvert: Cross-site Scripting via unsanitized Merm...
Keywords:
Status: NEW
Alias: CVE-2026-6658
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-26 10:01 UTC by OSIDB Bzimport
Modified: 2026-06-30 04:50 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-26 10:01:11 UTC
A vulnerability in jupyter/nbconvert versions <= 7.17.0 allows for Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export.


Note You need to log in before you can comment on or make changes to this bug.