CRITICALCVE-2026-33587Published Modified CNA ENISA
CVE-2026-33587: Remote Code Execution (RCE) via Server-Side Template Injection (SSTI)
Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations.
Metrics
- CVSS v4.0
- 9.2
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
Affected packages
- Open Notebook / Open Notebook≤ 1.8.3
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:NReferences