{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/server-side/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["jupyter_server (\u003c= 2.19.0)"],"_cs_severities":["critical"],"_cs_tags":["xss","web-vulnerability","jupyter","server-side","rce"],"_cs_type":"advisory","_cs_vendors":["Jupyter"],"content_html":"\u003cp\u003eJupyter Server, versions up to 2.19.0, is affected by a critical stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44727. This flaw resides in the \u003ccode\u003eNbconvertFileHandler\u003c/code\u003e and \u003ccode\u003eNbconvertPostHandler\u003c/code\u003e components, specifically due to a missing \u003ccode\u003esandbox\u003c/code\u003e directive in their Content-Security-Policy (CSP). This oversight allows user-authored Jupyter notebooks containing malicious HTML payloads within \u003ccode\u003edisplay_data\u003c/code\u003e output to be rendered without proper sanitization or isolation. An authenticated attacker can craft such a notebook and share it. When an unsuspecting, authenticated victim navigates to the malicious notebook's output via the \u003ccode\u003e/nbconvert/html/\u0026lt;path\u0026gt;\u003c/code\u003e endpoint, the embedded script executes within their browser under the Jupyter origin. This grants the attacker potential access to the victim's authentication tokens, leading to cookie exfiltration, and can be escalated to full \u003ccode\u003e/api/*\u003c/code\u003e authority and kernel Remote Code Execution (RCE) on the server. This vulnerability poses a significant risk to the integrity and confidentiality of data on affected Jupyter environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Jupyter Notebook\u003c/strong\u003e: An authenticated attacker creates a Jupyter notebook containing a specially crafted HTML payload within a \u003ccode\u003edisplay_data\u003c/code\u003e output cell, embedding malicious JavaScript.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Uploads/Shares Notebook\u003c/strong\u003e: The attacker uploads this malicious notebook to a vulnerable \u003ccode\u003ejupyter_server\u003c/code\u003e instance (versions up to 2.19.0) or shares it with potential victims.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Accesses Server\u003c/strong\u003e: An authenticated victim logs into the \u003ccode\u003ejupyter_server\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTriggering XSS\u003c/strong\u003e: The victim navigates their browser to the malicious notebook's output view, which is rendered via the \u003ccode\u003e/nbconvert/html/\u0026lt;path\u0026gt;\u003c/code\u003e endpoint handled by \u003ccode\u003eNbconvertFileHandler\u003c/code\u003e or \u003ccode\u003eNbconvertPostHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Rendering\u003c/strong\u003e: The \u003ccode\u003ejupyter_server\u003c/code\u003e renders the user-authored HTML content. Due to the missing \u003ccode\u003esandbox\u003c/code\u003e directive in the Content-Security-Policy, the malicious HTML is not isolated and executes without restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClient-Side Execution\u003c/strong\u003e: The embedded malicious JavaScript executes within the victim's browser, operating under the same origin as the \u003ccode\u003ejupyter_server\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Exfiltration\u003c/strong\u003e: The executing script accesses the victim's authentication tokens (e.g., cookies, session tokens) and exfiltrates them to an attacker-controlled domain.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel RCE\u003c/strong\u003e: Leveraging the victim's authenticated session, the script utilizes full \u003ccode\u003e/api/*\u003c/code\u003e authority to interact with Jupyter's internal APIs, potentially achieving Remote Code Execution on the Jupyter kernel or the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-44727 can lead to severe consequences for affected \u003ccode\u003ejupyter_server\u003c/code\u003e instances. An authenticated victim's session tokens, including cookies, can be exfiltrated to an attacker-controlled domain, compromising user accounts and sensitive data. Furthermore, the malicious script executing with full \u003ccode\u003e/api/*\u003c/code\u003e authority can be used to interact with the Jupyter environment, potentially achieving kernel Remote Code Execution (RCE). This allows an attacker to execute arbitrary commands on the server hosting the Jupyter kernel, leading to data theft, system compromise, or further network penetration. The vulnerability impacts any organization or individual using \u003ccode\u003ejupyter_server\u003c/code\u003e for data analysis, development, or educational purposes, especially in collaborative environments where users might share notebooks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch \u003ccode\u003ejupyter_server\u003c/code\u003e to version v2.20.0 or higher to address CVE-2026-44727.\u003c/li\u003e\n\u003cli\u003eFor deployments where patching is impractical, implement the provided workaround by adding the Content-Security-Policy modification to your \u003ccode\u003ejupyter_server_config.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules \u0026quot;Detects CVE-2026-44727 Exploitation — Jupyter \u003ccode\u003enbconvert\u003c/code\u003e HTML Handler Access\u0026quot; and \u0026quot;Detects CVE-2026-44727 Probing — Suspicious Characters in Jupyter \u003ccode\u003enbconvert\u003c/code\u003e Path\u0026quot; to your SIEM for monitoring.\u003c/li\u003e\n\u003cli\u003eEnsure \u003ccode\u003ewebserver\u003c/code\u003e logs are collected and ingested into your security monitoring platform to enable detection of these activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:20:33Z","date_published":"2026-06-18T15:20:33Z","id":"https://feed.craftedsignal.io/briefs/2026-06-jupyter-server-xss/","summary":"A critical stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-44727, exists in `jupyter_server` versions up to 2.19.0 due to a missing `sandbox` directive in Content-Security-Policy (CSP) headers, allowing authenticated attackers to craft malicious notebooks that exfiltrate victim tokens and achieve kernel Remote Code Execution (RCE) when viewed.","title":"Jupyter Server Stored XSS via Missing CSP Sandbox (CVE-2026-44727)","url":"https://feed.craftedsignal.io/briefs/2026-06-jupyter-server-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm:praisonai (\u003e= 1.2.3, \u003c= 1.7.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","npm","nodejs","sandbox-bypass","vulnerability","rce","server-side"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eThe \u003ccode\u003enpm:praisonai\u003c/code\u003e package, which provides \u0026quot;safe command execution with restrictions\u0026quot; via its \u003ccode\u003eSandboxExecutor\u003c/code\u003e and \u003ccode\u003eCommandValidator\u003c/code\u003e components, contains a critical vulnerability affecting versions 1.2.3 through 1.7.1. The \u003ccode\u003eCommandValidator\u003c/code\u003e component incorrectly processes command strings when \u003ccode\u003eallowedCommands\u003c/code\u003e is configured: it only checks the first whitespace-delimited token for allowlisting, while the \u003ccode\u003eSandboxExecutor\u003c/code\u003e subsequently passes the entire, unmodified command string to \u003ccode\u003espawn(\u0026quot;sh\u0026quot;, [\u0026quot;-c\u0026quot;, command])\u003c/code\u003e. This discrepancy allows attackers to append arbitrary shell commands using metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e, \u003ccode\u003e||\u003c/code\u003e) after an allowlisted initial command, bypassing the intended security controls. This allows for arbitrary code execution with the privileges of the PraisonAI process if lower-trust input (such as user prompts or model output) is processed by the vulnerable component. The vulnerability is present in \u003ccode\u003esrc/praisonai-ts/src/cli/features/sandbox-executor.ts\u003c/code\u003e and confirmed in distributed \u003ccode\u003enpm:praisonai@1.7.1\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious command string that begins with an allowlisted command (e.g., \u003ccode\u003eecho\u003c/code\u003e) followed by shell metacharacters and arbitrary commands (e.g., \u003ccode\u003eecho allowed; cat /tmp/marker\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis malicious command string is supplied as input to an application, CLI tool, or agent pipeline that utilizes the \u003ccode\u003enpm:praisonai\u003c/code\u003e library's \u003ccode\u003eSandboxExecutor\u003c/code\u003e or \u003ccode\u003esandboxExec\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCommandValidator\u003c/code\u003e component within \u003ccode\u003epraisonai\u003c/code\u003e receives the command string and checks its \u003ccode\u003eallowedCommands\u003c/code\u003e policy by extracting only the first whitespace-delimited token (e.g., \u003ccode\u003eecho\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf the first token matches an entry in the \u003ccode\u003eallowedCommands\u003c/code\u003e list, the \u003ccode\u003eCommandValidator\u003c/code\u003e incorrectly deems the entire command string valid and permits its execution.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxExecutor\u003c/code\u003e proceeds to invoke \u003ccode\u003espawn('sh', ['-c', malicious_command_string])\u003c/code\u003e, passing the full, unvalidated string directly to the system shell.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esh\u003c/code\u003e process interprets the shell metacharacter (e.g., \u003ccode\u003e;\u003c/code\u003e) as a command separator, executing both the initially allowlisted command and the subsequent arbitrary malicious commands (e.g., \u003ccode\u003ecat /tmp/marker\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution with the privileges of the PraisonAI process, enabling actions such as reading or modifying files, invoking local tools, or causing denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability allows for arbitrary shell command execution within the context of the PraisonAI process. Depending on the privileges of the hosting application and the affected system, this can lead to severe consequences, including unauthorized access to sensitive data (confidentiality), modification or deletion of critical files (integrity), and disruption of service (availability). If the PraisonAI application handles lower-trust input, such as from user prompts or AI model outputs, the risk of compromise is significantly elevated. While the advisory notes a local-only proof-of-concept, the nature of the vulnerability means that any application exposing \u003ccode\u003eSandboxExecutor\u003c/code\u003e's functionality to external input could be at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003enpm:praisonai\u003c/code\u003e to a patched version once available. Monitor the official GitHub advisory GHSA-vjv9-7m7j-h833 for release information.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect Suspicious \u003ccode\u003esh -c\u003c/code\u003e Spawns by Node.js with Shell Chaining\u0026quot; to your SIEM system to identify attempts at exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e logging on all Linux systems running Node.js applications that might utilize \u003ccode\u003enpm:praisonai\u003c/code\u003e or similar command execution libraries.\u003c/li\u003e\n\u003cli\u003eReview applications using \u003ccode\u003enpm:praisonai\u003c/code\u003e versions \u0026gt;= 1.2.3, \u0026lt;= 1.7.1 to ensure that any input passed to \u003ccode\u003eSandboxExecutor\u003c/code\u003e or \u003ccode\u003esandboxExec\u003c/code\u003e is strictly validated and sanitized, avoiding shell metacharacters.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, if direct patching is not immediately feasible, consider implementing input sanitization at the application layer to strip or escape shell metacharacters before passing commands to \u003ccode\u003enpm:praisonai\u003c/code\u003e functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:04:55Z","date_published":"2026-06-18T15:04:55Z","id":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-sandboxexecutor-bypass/","summary":"A critical command injection vulnerability exists in the `npm:praisonai` package versions \u003e= 1.2.3 and \u003c= 1.7.1, where the `SandboxExecutor`'s `allowedCommands` policy is bypassed by allowing arbitrary shell command chaining after an allowlisted command, leading to remote code execution with the PraisonAI process privileges.","title":"npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining","url":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-sandboxexecutor-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Server-Side","version":"https://jsonfeed.org/version/1.1"}