CVE-2026-28201

Summary

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.

Affected Software

VendorProductVersion RangeStatus
Open NotebookOpen Notebook0 <= 1.8.2affected

Weaknesses

  • CWE-20: CWE-20 Improper input validation
  • CWE-917: CWE-917 Improper neutralization of special elements used in an expression language statement ('expression language injection')
  • CWE-352: CWE-352 Cross-Site request forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References