CVE-2026-28201 | THREATINT

Description

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.

PUBLISHED Reserved 2026-02-25 | Published 2026-05-07 | Updated 2026-05-07 | Assigner ENISA

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-20 Improper input validation

CWE-917 Improper neutralization of special elements used in an expression language statement ('expression language injection')

CWE-352 Cross-Site request forgery (CSRF)

Product status

Default status

unaffected

Any version

affected

Credits

CERT-EU finder

References

github.com/...tebook/security/advisories/GHSA-5wj9-f8q5-8f9c vendor-advisory

cve.org (CVE-2026-28201)

nvd.nist.gov (CVE-2026-28201)

Download JSON