PYSEC-2026-67

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-server/PYSEC-2026-67.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-67

Aliases

CVE-2025-61669
GHSA-qh7q-6qm3-653w

Published

2026-05-05T16:16:10.133Z

Modified

2026-05-20T09:19:02.865171Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in LoginFormHandler._redirect_safe(), which allows redirects to arbitrary external domains via values such as ///example.com. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.

References

https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w

Affected packages

PyPI / jupyter-server

Package

Name: jupyter-server; View open source insights on deps.dev
Purl: pkg:pypi/jupyter-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.18.0

Affected versions

0.*

0.0.0

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.1.0

0.1.1

0.2.0

0.2.1

0.3.0

1.*

1.0.0rc0

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0rc4

1.0.0rc5

1.0.0rc6

1.0.0rc7

1.0.0rc8

1.0.0rc9

1.0.0rc10

1.0.0rc11

1.0.0rc12

1.0.0rc13

1.0.0rc14

1.0.0rc15

1.0.0rc16

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.2.2

1.2.3

1.3.0

1.4.0

1.4.1

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.7.0a1

1.7.0a2

1.7.0

1.8.0

1.9.0

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.16.0

1.17.0

1.17.1

1.18.0

1.18.1

1.19.0

1.19.1

1.21.0

1.23.0

1.23.1

1.23.2

1.23.3

1.23.4

1.23.5

1.23.6

1.24.0

2.*

2.0.0a0

2.0.0a1

2.0.0a2

2.0.0b0

2.0.0b1

2.0.0rc0

2.0.0rc1

2.0.0rc2

2.0.0rc3

2.0.0rc4

2.0.0rc5

2.0.0rc6

2.0.0rc7

2.0.0rc8

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.11.2

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0

2.14.0

2.14.1

2.14.2

2.15.0

2.16.0

2.17.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-server/PYSEC-2026-67.yaml"