The vulnerability arises from missing a sandbox directive in the Content‑Security‑Policy header of the nbconvert HTTP handlers in Jupyter Server. When the nbconvert.HTMLExporter renders notebook HTML without sanitizing user‑provided content, malicious HTML in a display_data output is stored in the notebook file. A rendered page that includes this payload triggers stored XSS and grants the attacker access to the user’s session cookie, full /api/* authority, and ultimately the ability to execute code in the kernel. This is a classic reflected XSS that has been promoted to a stored form with a severe impact, classified as CWE‑79 (Cross‑Site Scripting) and CWE‑1021 (Content‑Security‑Policy directive missing).

The affected product is Jupyter Server (jupyter_server). All releases older than 2.20 are vulnerable. The nbconvertFileHandler and nbconvertPostHandler endpoints are the specific entry points that may serve malicious notebook content.

The CVSS score of 9.3 places this issue in the critical range. EPSS is not available, so the current exploitation likelihood cannot be quantified, but the vulnerability is listed as not included in CISA KEV, indicating it has not yet triggered widespread attacks. The attack requires an attacker to supply a notebook containing malicious HTML and then have that notebook rendered in the user’s browser. Once the payload runs, the attacker gains full API access and kernel execution privileges. The possibility to retrieve the cookie and run arbitrary code means that exploitation could be done in a single step once the payload is delivered, making the threat significant for any environment that allows untrusted notebook uploads.