@fails-components/jupyter-applet-view (>=0.0.1-alpha.3 <=0.0.1-alpha.18), @fails-components/jupyter-filesystem-extension (>=0.0.1-alpha.3 <=0.0.1-alpha.18) +3 more potentially affected by CVE-2026-40171 via @jupyterlab/help-extension (>=4.0.13 <=4.4.10)

@jupyterlab/help-extension NPM version =4.0.13, =0.0.1-alpha.3, =0.0.1-alpha.3, =0.0.1-alpha.3, =0.0.1-alpha.3, =0.2.0, =0.6.0-alpha.9 Source cves: CVE-2026-40171 Source advisory: SNYK:JS-JUPYTERLABHELPEXTENSION-16347193...

HTML Injection

JupyterLite-core is vulnerable to HTML Injection. The vulnerability is due to insufficient validation of Markdown content, allowing a malicious notebook or file to access data and perform actions in the JupyterLite environment...

andeplane-pyodide-kernel (>=0.0.7 <=0.0.12), here-search-demo (>=0.9.0 <=0.9.1) +8 more potentially affected by unknown CVE via jupyterlite-core (>=0.1.2 <=0.4.0rc0)

jupyterlite-core PYPI version =0.1.2, =0.0.7, =0.9.0, =0.0.4, =0.10.0, =0.1.0, =0.9.6, =0.3.0, =0.6.0, =0.6.1 Source cves: unknown CVE Source advisory: OSV:GHSA-GJ55-2XF9-67RQ...

GHSA-GJ55-2XF9-67RQ HTML injection in JupyterLite leading to DOM Clobbering

Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data accessible from JupyterLite and perform arbitrary actions in JupyterLite environment. Patches JupyterLi...

PT-2024-40302 · Jupyterlab +1 · @Jupyterlab/Mathjax-Extension +3

Name of the Vulnerable Software and Affected Versions: JupyterLite versions prior to 0.4.1 Description: The issue depends on user interaction by opening a malicious notebook with Markdown cells or a Markdown file using the JupyterLab preview feature. A malicious user can access any data accessibl...