Vulnerabilities in jupyterhub
22 resultsCVE-2021-39159CRITICALRemote code execution in BinderhubEPSS 1.9%CVE-2021-39160CRITICALCode injection in nbgitpullerEPSS 1.7%CVE-2021-41194CRITICALImproper Access Control in jupyterhub-firstuseauthenticatorEPSS 1.3%CVE-2020-26250MEDIUMBase class whitelist configuration ignored in OAuthenticatorEPSS 1.1%CVE-2022-21697MEDIUMSSRF vulnerability (requires authentication)EPSS 1.1%CVE-2024-28179CRITICALJupyter Server Proxy's Websocket Proxying does not require authenticationEPSS 1.0%CVE-2020-15110MEDIUMPossible pod name collisions in jupyterhub-kubespawnerEPSS 0.9%CVE-2025-32428CRITICALJupyter Remote Desktop Proxy makes TigerVNC accessible via the network and not just via a UNIX socket as intendedEPSS 0.8%CVE-2021-41247LOWincomplete logout in JupyterHubEPSS 0.8%CVE-2023-48311HIGHAny image allowed by defaultEPSS 0.6%CVE-2024-41942HIGHJupyterHub has a privilege escalation vulnerability with the `admin:users` scopeEPSS 0.6%CVE-2024-29033HIGHGoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspaceEPSS 0.6%CVE-2020-26261HIGHuser-readable api tokens in systemd unitsEPSS 0.5%CVE-2024-35225CRITICALJupyter Server Proxy has a reflected XSS issue in host parameterEPSS 0.4%CVE-2026-33175HIGHOAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email ClaimsEPSS 0.4%CVE-2022-31027MEDIUMAuthorization Bypass Through User-Controlled Key when using CILogonOAuthenticator in oauthenticatorEPSS 0.4%CVE-2024-37300HIGHGlobus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0EPSS 0.4%CVE-2026-34052MEDIUMLTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)EPSS 0.3%CVE-2024-28233HIGHXSS in JupyterHub via Self-XSS leveraged by Cookie TossingEPSS 0.3%CVE-2023-25574CRITICALJupyterHub's LTI13Authenticator: JWT signature not validatedEPSS 0.3%