22 matches found
CVE-2026-54528
Summary of vulnerability (CVE-2026-54528): The jupyterlab-git extension for JupyterLab is affected prior to version 0.54.0. On case-insensitive filesystems (e.g., macOS APFS, Windows NTFS), the code path that enforces excluded_paths uses fnmatch.fnmatchcase(), which is case-sensitive and can be b...
CVE-2026-54527
CVE-2026-54527 affects the jupyterlab-git extension. The PlainTextDiff.ts createHeader() renders renamed-file headers by directly inserting Git filenames into innerHTML, enabling stored XSS that can lead to remote code execution. Affected range is before 0.54.0, with fix released in 0.54.0. Explo...
Improper Handling of Case Sensitivity
Overview jupyterlab-git is an A JupyterLab extension for version control using git Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the prepare function due to improper enforcement of excluded directory paths on case-insensitive filesystems. An attacker...
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
Summary jupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlabgit/handlers.py:91 to enforce the admin-configured excludedpaths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive filesyste...
Cross-site Scripting (XSS)
Overview @jupyterlab/git is an A JupyterLab extension for version control using git Affected versions of this package are vulnerable to Cross-site Scripting XSS in the createHeader method. An attacker can execute arbitrary JavaScript in another user's browser session by crafting a malicious...
jupyterlab-git extension: Stored XSS leading to RCE
Overview Amazon Web Services AWS Security has identified a stored cross-site scripting XSS issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution RCE. The issue exists in the PlainTextDiff.ts component, where the createHeader method passes Git filenames directly t...
PT-2026-51065
Name of the Vulnerable Software and Affected Versions jupyterlab-git affected versions not specified Description A stored cross-site scripting XSS issue exists in the PlainTextDiff.ts component of the jupyterlab-git extension. The createHeader function passes Git filenames directly to innerHTML...
PT-2026-51066
Summary jupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlab git/handlers.py:91 to enforce the admin-configured excluded paths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive...
CVE-2026-54528
creationtimestamp| type| source ---|---|--- 2026-06-18 07:12:50+00:00| published-proof-of-concept| https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-436q-jwfr-rm2h...
The vulnerability of the “Open Git Repository in Terminal” control element, a extension for the JupyterLab web-oriented interactive development environment, allows an attacker to gain access to and modify data, as well as execute arbitrary commands.
The vulnerability of the “Open Git Repository in Terminal” control element in the JupyterLab-Git web-oriented interactive development environment is related to the failure to implement measures to neutralize special elements used in the operating system command line. Exploiting this vulnerability...
GHSA-CJ5W-8MJF-R5F8 jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"
Overview On many platforms, a third party can create a Git repository under a name that includes a shell command substitution ^1 string in the syntax $. These directory names are allowed in macOS and a majority of Linux distributions ^2. If a user starts jupyter-lab in a parent directory of this...
jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"
Overview On many platforms, a third party can create a Git repository under a name that includes a shell command substitution ^1 string in the syntax $. These directory names are allowed in macOS and a majority of Linux distributions ^2. If a user starts jupyter-lab in a parent directory of this...
elyra (>=4.0.0rc0 <=4.0.0rc4), elyra-code-snippet-extension (>=3.0.0rc3 <=4.0.0rc2) +12 more potentially affected by CVE-2025-30370 via jupyterlab-git (>=0.24.0 <=0.50.2)
jupyterlab-git PYPI version =0.24.0, =4.0.0rc0, =3.0.0rc3, =3.14.0, =3.0.0rc3, =3.0.0rc3, =3.0.0rc3, =3.14.0, =4.0.0rc0, =0.4.0, =2.1.0, =0.1.30, =1.3.19, =3.16.1, =0.1.0, =0.2.9 Source cves: CVE-2025-30370 Source advisory: OSV:GHSA-CJ5W-8MJF-R5F8...
CVE-2025-30370
A flaw was found in jupyterlab-git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $. These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a pare...
elyra (>=4.0.0rc0 <=4.0.0rc4), elyra-code-snippet-extension (>=3.0.0rc3 <=4.0.0rc2) +12 more potentially affected by CVE-2025-30370 via jupyterlab-git (>=0.24.0 <=0.50.2)
jupyterlab-git PYPI version =0.24.0, =4.0.0rc0, =3.0.0rc3, =3.14.0, =3.0.0rc3, =3.0.0rc3, =3.0.0rc3, =3.14.0, =4.0.0rc0, =0.4.0, =2.1.0, =0.1.30, =1.3.19, =3.16.1, =0.1.0, =0.2.9 Source cves: CVE-2025-30370 Source advisory: SNYK:PYTHON-JUPYTERLABGIT-9667341...
CVE-2025-30370 jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"
jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $. These directory names are allowed in macOS and a majority of Linux distributions. If...
Command Injection
Overview jupyterlab-git is an A JupyterLab extension for version control using git Affected versions of this package are vulnerable to Command Injection in the addCommands function, which executes a cd command on the input passed in to the "Open Git Repository in Terminal" interface. If a user wi...
CVE-2025-30370
CVE-2025-30370 affects the jupyterlab-git JupyterLab extension. When a user opens a repository whose directory name contains a shell command substitution (e.g., $()) and selects “Git > Open Git Repository in Terminal,” the extension previously executed a shell command via a cd to the repositor...
jupyterlab-git 安全漏洞
jupyterlab-git is an open source Git extension for JupyterLab. A security vulnerability exists in jupyterlab-git that stems from a command injection that can be caused when a command substitution string is included in a directory name...
PT-2025-14811
Name of the Vulnerable Software and Affected Versions jupyterlab-git versions prior to 0.51.1 Description The issue arises when a user opens a maliciously named Git repository in jupyterlab-git and clicks "Git Open Git Repository in Terminal" from the menu bar. This action can lead to the executi...