CVE-2026-42557

9.6 CRITICAL

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture

Published: 2026-05-13 · Last updated: 2026-06-02

Severity and scoring

CVSS: 9.6 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79

Affected products

Vendor	Product
jupyter	jupyterlab, notebook

Description

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42557
[Vendor advisory]https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg

Related CVEs

Same vendor

CVE-2026-5422 — A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_p... (8.1 HIGH)
CVE-2026-40864 — JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks (5.4 MEDIUM)
CVE-2026-42266 — JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture (8.8 HIGH)

Same CWE

CVE-2026-2827 — The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
CVE-2026-53742 — Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
CVE-2026-53741 — Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
CVE-2026-53740 — Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)