CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-6658

mediumCVSS 5.4covered by 1 sourcefirst seen 2026-06-26
A vulnerability in jupyter/nbconvert versions <= 7.17.0 allows for Cross-site Scripting (XSS) via unsanitized text/vnd.mermaid output in HTML exports. The data_mermaid block in share/templates/lab/base.html.j2 renders text/vnd.mermaid cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the <pre> tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export.

⚡ Watch CVE-2026-6658

Get an email if CVE-2026-6658 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-6658

CVE.org record

Embed the live status

CVE-2026-6658 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-6658 status](https://www.csirts.com/badge/CVE-2026-6658)](https://www.csirts.com/cve/CVE-2026-6658)