Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/jupyterhub@2.0.0b2

Type pypi

Namespace

Name jupyterhub

Version 2.0.0b2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.4.5

Latest_non_vulnerable_version 5.4.5

Affected_by_vulnerabilities

url VCID-5d2g-z6vz-gkb8

vulnerability_id VCID-5d2g-z6vz-gkb8

summary JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33709

reference_id

reference_type

scores

value	0.00014
scoring_system	epss
scoring_elements	0.0257
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33709

reference_url

https://github.com/jupyterhub/jupyterhub

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/jupyterhub

reference_url

https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T17:33:39Z/

url

https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4

reference_url

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T17:33:39Z/

url

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33709

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33709

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132715
reference_id	1132715
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132715

reference_url	https://github.com/advisories/GHSA-3vff-hjqv-m7h8
reference_id	GHSA-3vff-hjqv-m7h8
reference_type
scores
url	https://github.com/advisories/GHSA-3vff-hjqv-m7h8

fixed_packages

url pkg:pypi/jupyterhub@5.4.4

purl pkg:pypi/jupyterhub@5.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-yh4a-fw6z-tyfc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@5.4.4

aliases CVE-2026-33709, GHSA-3vff-hjqv-m7h8

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5d2g-z6vz-gkb8

url VCID-g6zf-6yqx-r7gx

vulnerability_id VCID-g6zf-6yqx-r7gx

summary

Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing
Affected configurations:

- Single-origin JupyterHub deployments
- JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server.

By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve the following:

- Full access to JupyterHub API and user's single-user server, e.g.
- Create and exfiltrate an API Token
- Exfiltrate all files hosted on the user's single-user server: notebooks, images, etc.
- Install malicious extensions. They can be used as a backdoor to silently regain access to victim's session anytime.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-28233

reference_id

reference_type

scores

value	0.0011
scoring_system	epss
scoring_elements	0.29065
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-28233

reference_url

https://github.com/jupyterhub/jupyterhub

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/jupyterhub

reference_url

https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-15T14:36:04Z/

url

https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070388
reference_id	1070388
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070388

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-28233

reference_id

CVE-2024-28233

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-28233

reference_url

https://github.com/advisories/GHSA-7r3h-4ph8-w38g

reference_id

GHSA-7r3h-4ph8-w38g

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7r3h-4ph8-w38g

reference_url

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g

reference_id

GHSA-7r3h-4ph8-w38g

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-15T14:36:04Z/

url

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g

fixed_packages

url pkg:pypi/jupyterhub@4.1.0

purl pkg:pypi/jupyterhub@4.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5d2g-z6vz-gkb8

vulnerability	VCID-jruk-8qvr-d3hh

vulnerability	VCID-yh4a-fw6z-tyfc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@4.1.0

aliases CVE-2024-28233, GHSA-7r3h-4ph8-w38g

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g6zf-6yqx-r7gx

url VCID-jruk-8qvr-d3hh

vulnerability_id VCID-jruk-8qvr-d3hh

summary

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users.
In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-41942

reference_id

reference_type

scores

value	0.0013
scoring_system	epss
scoring_elements	0.32069
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-41942

reference_url

https://github.com/jupyterhub/jupyterhub

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/jupyterhub

reference_url

https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:16:29Z/

url

https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428

reference_url

https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:16:29Z/

url

https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba

reference_url

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:16:29Z/

url

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2024-200.yaml

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2024-200.yaml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078344
reference_id	1078344
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078344

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-41942

reference_id

CVE-2024-41942

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-41942

reference_url

https://github.com/advisories/GHSA-9x4q-3gxw-849f

reference_id

GHSA-9x4q-3gxw-849f

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9x4q-3gxw-849f

fixed_packages

url pkg:pypi/jupyterhub@4.1.6

purl pkg:pypi/jupyterhub@4.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5d2g-z6vz-gkb8

vulnerability	VCID-yh4a-fw6z-tyfc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@4.1.6

url pkg:pypi/jupyterhub@5.1.0

purl pkg:pypi/jupyterhub@5.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5d2g-z6vz-gkb8

vulnerability	VCID-yh4a-fw6z-tyfc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@5.1.0

aliases BIT-jupyterhub-2024-41942, CVE-2024-41942, GHSA-9x4q-3gxw-849f, PYSEC-2024-200

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jruk-8qvr-d3hh

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@2.0.0b2

Package Instance