VulnerableCode Package Details - pkg:pypi/bokeh@3.9.0.dev1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/bokeh@3.9.0.dev1

Essentials
History (1)

purl	pkg:pypi/bokeh@3.9.0.dev1

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-651d-s95h-f3c8	Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.	CVE-2026-21883 GHSA-793v-589g-574v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:44:04.963485+00:00	GitLab Importer	Fixing	VCID-651d-s95h-f3c8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/bokeh/CVE-2026-21883.yml	38.6.0