Nbconvert is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to multiple instances where a Jupyter notebook can inject unescaped HTML into the metadata when exported as HTML. An attacker in control of a notebook can inject arbitrary Javascript that will be executed when a user visits the exported notebook.
github.com/jupyter/nbconvert/commit/5d2c5e2b79534c11678b73e707feb74d7827a557#diff-5d5d0e216c4c7e2bdbdce10cc1bac7804d432ee61e1643be8f880cd422d14cd0R141
github.com/jupyter/nbconvert/releases/tag/6.3.0
github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq
github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm
lists.debian.org/debian-lts-announce/2023/06/msg00003.html