CVE-2021-39160 — HIGH (CVSS 8.8) AI Security Vulnerability

### Impact Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. ### Patches 0.10.2 ### Workarounds None, other than...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
nbgitpuller	pip	>= 0.9.0, <= 0.10.1	`0.10.2`

Do you use nbgitpuller? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.8%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

Patch available

Update nbgitpuller to version 0.10.2

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

### Impact Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. ### Patches 0.10.2 ### Workarounds None, other than upgrade to 0.10.2 or downgrade to 0.8.x. ### For more information If you have any questions or comments about this advisory: * Open an issue in [nbgitpuller](https://github.com/jupyterhub/nbgitpuller/issues) * Email our security team at [security@ipython.org](mailto:security@ipython.org)

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published

August 30, 2021

Last Modified

October 3, 2024

First Seen

March 24, 2026