Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-notebook": "5.2.2-1ubuntu0.1", "python-notebook-doc": "5.2.2-1ubuntu0.1", "python-notebook": "5.2.2-1ubuntu0.1", "jupyter-notebook": "5.2.2-1ubuntu0.1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-notebook": "5.7.8-1", "python-notebook-doc": "5.7.8-1", "python-notebook": "5.7.8-1", "jupyter-notebook": "5.7.8-1" } ] }