Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-svcn-u3pj-kkea
Vulnerability ID VCID-svcn-u3pj-kkea
Aliases CVE-2021-41134
GHSA-p6rw-44q7-3fw4
PYSEC-2021-428
Summary nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product.
Status Published
Exploitability 0.5
Weighted Severity 7.8
Risk 3.9
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2021-41134
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2021-41134
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2021-41134
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2021-41134
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-p6rw-44q7-3fw4
cvssv3.1 8.7 https://github.com/jupyter/nbdime
cvssv4 6.3 https://github.com/jupyter/nbdime
generic_textual MODERATE https://github.com/jupyter/nbdime
cvssv3.1 8.7 https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
cvssv4 6.3 https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
generic_textual MODERATE https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
cvssv3.1 8.7 https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
cvssv3.1_qr MODERATE https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
cvssv4 6.3 https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
generic_textual MODERATE https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
cvssv3.1 8.7 https://github.com/pypa/advisory-database/tree/main/vulns/nbdime/PYSEC-2021-428.yaml
cvssv4 6.3 https://github.com/pypa/advisory-database/tree/main/vulns/nbdime/PYSEC-2021-428.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/nbdime/PYSEC-2021-428.yaml
cvssv3.1 8.7 https://nvd.nist.gov/vuln/detail/CVE-2021-41134
cvssv4 6.3 https://nvd.nist.gov/vuln/detail/CVE-2021-41134
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-41134
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-41134
https://github.com/jupyter/nbdime
https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
https://github.com/pypa/advisory-database/tree/main/vulns/nbdime/PYSEC-2021-428.yaml
https://nvd.nist.gov/vuln/detail/CVE-2021-41134
GHSA-p6rw-44q7-3fw4 https://github.com/advisories/GHSA-p6rw-44q7-3fw4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/jupyter/nbdime
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/jupyter/nbdime
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/nbdime/PYSEC-2021-428.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/nbdime/PYSEC-2021-428.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41134
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41134
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56931
EPSS Score 0.00337
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T20:54:06.563549+00:00 PyPI Importer Import https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0