CVE-2026-28201

EUVD-2026-28345
An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
lfnovoopen-notebook
𝑥
< 1.8.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c