AI Threat Alert

CVE-2018-8768: Jupyter Notebook: XSS via malicious .ipynb file

GHSA-6cwv-x26c-w2q4 HIGH
Published July 12, 2018
CISO Take

Any ML/data science team running Jupyter Notebook below 5.4.1 is exposed to code execution if a team member opens a crafted notebook file — a realistic scenario given how freely .ipynb files are shared via GitHub, Slack, and email. Patch immediately to 5.4.1+; audit your notebook-sharing workflows for untrusted sources. The 2018 vintage and low EPSS (0.0012) suggest no active exploitation campaigns, but the attack surface in AI/ML environments is high.

What is the risk?

Risk is moderate-to-high for organizations still running legacy Jupyter instances, which is not uncommon in air-gapped or on-premise ML environments where upgrades lag. The local attack vector (AV:L) requires user interaction — opening a malicious notebook — but AI/ML teams routinely share notebooks from external sources (Kaggle, GitHub, colleagues), making social engineering highly plausible. CVSS 7.8 reflects full C/I/A impact once exploited. Low EPSS indicates no current mass exploitation, but targeted attacks against ML teams are credible.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter Notebook pip < 5.4.1 5.4.1
13.2K OpenSSF 5.8 3.0K dependents Pushed 4d ago 60% patched ~340d to patch Full package profile →

Do you use Jupyter Notebook? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
1.1%
chance of exploitation in 30 days
Higher than 61% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Upgrade Jupyter Notebook to >= 5.4.1 immediately — pip install --upgrade notebook.

  2. Audit all running Jupyter instances across ML infrastructure; prioritize JupyterHub deployments.

  3. Enforce a policy: only open .ipynb files from trusted, version-controlled repositories.

  4. For detection: scan .ipynb files (JSON format) for embedded HTML tags containing event handlers (onerror, onload, onmouseover) or script-adjacent patterns before sharing.

  5. Consider nbstripout or similar tools in CI/CD to sanitize notebooks before merge.

  6. Run Jupyter with minimum required OS privileges and network isolation.

How is it classified?

Code Execution Supply Chain Data Extraction Framework AML.T0010.001 AML.T0011 AML.T0011.000 AML.T0025 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system life cycle — security testing A.6.2.3 - Security of AI system
NIST AI RMF
GOVERN 1.2 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms for treatment of identified AI risks
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-8768?

Any ML/data science team running Jupyter Notebook below 5.4.1 is exposed to code execution if a team member opens a crafted notebook file — a realistic scenario given how freely .ipynb files are shared via GitHub, Slack, and email. Patch immediately to 5.4.1+; audit your notebook-sharing workflows for untrusted sources. The 2018 vintage and low EPSS (0.0012) suggest no active exploitation campaigns, but the attack surface in AI/ML environments is high.

Is CVE-2018-8768 actively exploited?

No confirmed active exploitation of CVE-2018-8768 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-8768?

1. Upgrade Jupyter Notebook to >= 5.4.1 immediately — pip install --upgrade notebook. 2. Audit all running Jupyter instances across ML infrastructure; prioritize JupyterHub deployments. 3. Enforce a policy: only open .ipynb files from trusted, version-controlled repositories. 4. For detection: scan .ipynb files (JSON format) for embedded HTML tags containing event handlers (onerror, onload, onmouseover) or script-adjacent patterns before sharing. 5. Consider nbstripout or similar tools in CI/CD to sanitize notebooks before merge. 6. Run Jupyter with minimum required OS privileges and network isolation.

What systems are affected by CVE-2018-8768?

This vulnerability affects the following AI/ML architecture patterns: Data science workstations, ML training pipelines, Collaborative notebook environments, JupyterHub multi-user deployments, MLOps experimentation platforms.

What is the CVSS score for CVE-2018-8768?

CVE-2018-8768 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 1.10%.

What is the AI security impact?

Affected AI Architectures

Data science workstationsML training pipelinesCollaborative notebook environmentsJupyterHub multi-user deploymentsMLOps experimentation platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0011.000 Unsafe AI Artifacts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: 8.4, A.6.2.3
NIST AI RMF: GOVERN 1.2, MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Exploitation Scenario

An adversary targeting an ML engineering team crafts a malicious notebook file containing invalid HTML with an embedded payload — e.g., an img tag with a malformed src attribute that jQuery 'repairs' post-sanitization into a valid XSS vector. The file is uploaded to a public GitHub repo mimicking a legitimate ML tutorial, or sent via Slack as 'a useful training script'. A data scientist opens it in their unpatched Jupyter instance. The JavaScript executes, harvests the Jupyter session cookie, and POSTs it to an attacker-controlled server. The attacker now has full access to the Jupyter server, its filesystem, training data, API keys in environment variables, and any connected databases.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
July 12, 2018
Last Modified
September 27, 2024
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2026-52798 8.9

Gogs: Stored XSS via .ipynb Markdown re-render bypass

Same package: notebook
HIGH CVE-2026-42266 8.8

JupyterLab: Extension allow-list bypass enables privesc

Same package: notebook
HIGH CVE-2026-5422 8.1

jupyter-server: path traversal exposes sibling dir files

Same package: notebook
HIGH CVE-2026-54293 7.5

NLTK: path traversal leaks arbitrary local files

Same package: notebook
HIGH CVE-2026-35397 7.1

Jupyter Server: path traversal leaks sibling directories

Same package: notebook
Back to Threat Feed