Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's mark_safe() API when rendering certain types of user-authored content; including custom links, job buttons, and computed fields; it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content. The maintainers have fixed the incorrect uses of mark_safe() (generally by replacing them with appropriate use of format_html() instead) to prevent such malicious data from being executed. Users on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5. Appropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct workaround available.
CVE-2023-48705
This high-severity CVE scores 7.1 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 47% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.4
- EG Score
- 7.1(medium)
- EPSS
- 41.8%
- KEV
- Not listed
Published
November 22, 2023
Last Modified
June 17, 2026
References (14)
- security-advisories@githubhttps://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html
- security-advisories@githubhttps://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe
- security-advisories@githubhttps://github.com/nautobot/nautobot/commit/362850f5a94689a4c75e3188bf6de826c3b012b2
- security-advisories@githubhttps://github.com/nautobot/nautobot/commit/54abe23331b6c3d0d82bf1b028c679b1d200920d
- security-advisories@githubhttps://github.com/nautobot/nautobot/pull/4832
- security-advisories@githubhttps://github.com/nautobot/nautobot/pull/4833
- security-advisories@githubhttps://github.com/nautobot/nautobot/security/advisories/GHSA-cf9f-wmhp-v4pr
- af854a3a-2127-422b-91ae-364da2661108https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html
- af854a3a-2127-422b-91ae-364da2661108https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe
- af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/commit/362850f5a94689a4c75e3188bf6de826c3b012b2
- af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/commit/54abe23331b6c3d0d82bf1b028c679b1d200920d
- af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/pull/4832
- af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/pull/4833
- af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/security/advisories/GHSA-cf9f-wmhp-v4pr
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| nautobot | 1.0.0 ... 2.0.4 (86 versions) | 1.6.6 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 46× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-09 19:08 UTCEPSS rescore
- 2026-07-08 15:13 UTCEPSS rescore
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-02 16:59 UTCEPSS rescore
- 2026-07-01 15:05 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-29 14:05 UTCEPSS rescore
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-27 04:04 UTCOSV refresh
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
Show 57 moreShow fewer
- 2026-06-24 06:31 UTCNVD updateCVSS v3 → 5.4 · severity → MEDIUM
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:47 UTCEPSS rescore
- 2026-06-14 23:16 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-10 22:17 UTCEPSS rescore
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-09 14:47 UTCOSV refresh
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-24 13:27 UTCEG score recompute
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2023-48705?
When was CVE-2023-48705 disclosed?
Is CVE-2023-48705 actively exploited?
What is the CVSS score of CVE-2023-48705?
How do I remediate CVE-2023-48705?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-48705
Is Your Infrastructure Affected by CVE-2023-48705?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.