CVE-2026-33588

High

Published: 07 May 2026

Published

07 May 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0006 19.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

PM-14 Testing, Training, and Monitoring

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

SA-11 Developer Testing and Evaluation

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

SI-10 Information Input Validation

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

SI-8 Spam Protection

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-20 NVD-CWE-noinfo

Affected Products

lfnovo

open-notebook

≤ 1.8.4

References

https://github.com/lfnovo/open-notebook/security/advisories/GHSA-x4q2-89g5-594v
Vendor Advisory · a6d3dc9e-0591-4a13-bce7-0f5b31ff6158