HIGHCVE-2026-33589Published 2026-05-07Modified 2026-05-07CNA ENISA

CVE-2026-33589: Arbitrary File Read via Local File Inclusion (LFI)

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Open Notebook / Open Notebook
≤ 1.8.3

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

github.com

Metrics