CVE-2026-33587
CRITICAL WAF: Medium
CVSS 10.0
Published: 2026-05-07
CWE-20
Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| lfnovo | open-notebook | up to 1.8.4 |
References
- github.com (Vendor Advisory)