{"id":"CVE-2018-19352","details":"Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.","aliases":["GHSA-3p4q-x8f3-p7vq","PYSEC-2018-18"],"modified":"2026-04-10T04:08:47.442396Z","published":"2018-11-18T17:29:00.360Z","references":[{"type":"ADVISORY","url":"https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst"},{"type":"ADVISORY","url":"https://pypi.org/project/notebook/#history"},{"type":"FIX","url":"https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jupyter/notebook","events":[{"introduced":"0"},{"fixed":"94ac73c4669e7d3613571ff546da7e9fba89cb83"},{"fixed":"288b73e1edbf527740e273fcc69b889460871648"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.7.2"}]}}],"versions":["4.0.0","4.0.1","4.1.0","5.0.0","5.0.0-rc.1","5.0.0b1","5.0.0b2","5.0.0rc2","5.1.0","5.1.0rc1","5.1.0rc3","5.2.0","5.2.0rc1","5.3.0","5.3.0rc1","5.3.1","5.4.0","5.5.0","5.5.0rc1","5.6.0","5.6.0rc1","5.7.0","5.7.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19352.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}