Vulnerability Details CVE-2026-28201
An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.2%
CVSS Severity
CVSS v3 Score 7.8
Products affected by CVE-2026-28201
-
cpe:2.3:a:lfnovo:open-notebook:0.0.1
-
cpe:2.3:a:lfnovo:open-notebook:0.0.10
-
cpe:2.3:a:lfnovo:open-notebook:0.0.2
-
cpe:2.3:a:lfnovo:open-notebook:0.0.3
-
cpe:2.3:a:lfnovo:open-notebook:0.0.4
-
cpe:2.3:a:lfnovo:open-notebook:0.0.5
-
cpe:2.3:a:lfnovo:open-notebook:0.0.6
-
cpe:2.3:a:lfnovo:open-notebook:0.0.7
-
cpe:2.3:a:lfnovo:open-notebook:0.0.8
-
cpe:2.3:a:lfnovo:open-notebook:0.0.9
-
cpe:2.3:a:lfnovo:open-notebook:0.1.0
-
cpe:2.3:a:lfnovo:open-notebook:0.1.1
-
cpe:2.3:a:lfnovo:open-notebook:0.2.0
-
cpe:2.3:a:lfnovo:open-notebook:0.2.2
-
cpe:2.3:a:lfnovo:open-notebook:0.3.0
-
cpe:2.3:a:lfnovo:open-notebook:0.3.1
-
cpe:2.3:a:lfnovo:open-notebook:0.3.2
-
cpe:2.3:a:lfnovo:open-notebook:1.0.1
-
cpe:2.3:a:lfnovo:open-notebook:1.0.8
-
cpe:2.3:a:lfnovo:open-notebook:1.1.0
-
cpe:2.3:a:lfnovo:open-notebook:1.2.0
-
cpe:2.3:a:lfnovo:open-notebook:1.2.4
-
cpe:2.3:a:lfnovo:open-notebook:1.3.0
-
cpe:2.3:a:lfnovo:open-notebook:1.3.1
-
cpe:2.3:a:lfnovo:open-notebook:1.4.0
-
cpe:2.3:a:lfnovo:open-notebook:1.5.0
-
cpe:2.3:a:lfnovo:open-notebook:1.6.2
-
cpe:2.3:a:lfnovo:open-notebook:1.7.0
-
cpe:2.3:a:lfnovo:open-notebook:1.7.1
-
cpe:2.3:a:lfnovo:open-notebook:1.7.2
-
cpe:2.3:a:lfnovo:open-notebook:1.7.3
-
cpe:2.3:a:lfnovo:open-notebook:1.7.4
-
cpe:2.3:a:lfnovo:open-notebook:1.8.0
-
cpe:2.3:a:lfnovo:open-notebook:1.8.1
-
cpe:2.3:a:lfnovo:open-notebook:1.8.2