14 matches found
CVE-2026-42557
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...
BIT-JUPYTER-NOTEBOOK-2026-42557 jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...
BIT-JUPYTER-BASE-NOTEBOOK-2026-42557 jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...
SUSE CVE-2026-42557
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...
CVE-2026-42557
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...
CVE-2026-42557 jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...
CVE-2026-42557
CVE-2026-42557 affects JupyterLab prior to 4.5.7. The HTML sanitizer allowedlist for button elements included data-commandlinker-command and data-commandlinker-args, while CommandLinker listens for all click events on document.body and may execute the named command without validating the source U...
Cross-site Scripting (XSS)
Overview @jupyterlab/apputils is a JupyterLab - Application Utilities Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute arbitrary commands,...
GHSA-MQCG-5X36-VFCG JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with ...
Cross-site Scripting (XSS)
Overview @jupyterlab/rendermime-interfaces is a JupyterLab - Interfaces for Mime Renderers Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute...
CVE-2026-40171 Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker
In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with...
CVE-2026-40171 Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker
In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with...
Open Redirect
Overview @jupyter-notebook/help-extension is a Jupyter Notebook - Help Extension Affected versions of this package are vulnerable to Open Redirect in the CommandLinker class. An attacker can steal authentication tokens and gain unauthorized access to user accounts by convincing a user to open a...
Open Redirect
Overview notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. Affected versions of this package are vulnerable to Open Redirect in the CommandLinker class. An attacker can steal authentication tokens a...