CVE-2026-33588 PUBLISHED

Arbitrary File Write Through Path Traversal

Assigner: ENISA
Reserved: 23.03.2026 Published: 07.05.2026 Updated: 07.05.2026

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Open Notebook
Product	Open Notebook
Versions	Default: unaffected affected from 0 to 1.8.3 (incl.)

Credits

CERT-EU finder

References

https://github.com/lfnovo/open-notebook/security/advisories/GHSA-x4q2-89g5-594v

Problem Types

CWE-20 Improper input validation CWE

Impacts

CAPEC-126 Path Traversal
CAPEC-23 File Content Injection
CAPEC-75 Manipulating Writeable Configuration Files
CAPEC-650 Upload a Web Shell to a Web Server