These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-40934 is a session-revocation weakness in Jupyter Server versions 2.17.0 and earlier. Because the secret used to sign authentication cookies is stored in a static runtime file and is not rotated when a user changes their password, previously issued cookies can remain valid after a password reset and server restart. The issue is fixed in Jupyter Server 2.18.0.
CVE-2026-40110 is a Jupyter Server origin-validation flaw that can let an attacker bypass CORS restrictions when allow_origin_pat is used. The issue exists in Jupyter Server 2.17.0 and earlier because the Origin header check uses Python re.match(), which only anchors at the start of the string instead of requiring a full match. As a result, a pattern meant to allow trusted.example.com can also match attac [truncated]