Search for packages
| purl | pkg:pypi/bokeh@3.1.0.dev3 |
| Next non-vulnerable version | 3.8.2 |
| Latest non-vulnerable version | 3.9.0.dev1 |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-651d-s95h-f3c8
Aliases: CVE-2026-21883 GHSA-793v-589g-574v |
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T20:44:04.483176+00:00 | GitLab Importer | Affected by | VCID-651d-s95h-f3c8 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/bokeh/CVE-2026-21883.yml | 38.6.0 |