JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
Description
JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html ``. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JupyterLab fails to sanitize the action attribute of HTML forms, allowing XSS that leads to remote code execution when a malicious notebook is opened.
Vulnerability
JupyterLab, a user interface for Project Jupyter, does not properly sanitize the action attribute of HTML ` elements in notebook cells [1][2]. This oversight allows an attacker to craft a malicious .ipynb` file that, when opened, triggers form validation outside the form itself, leading to cross-site scripting (XSS) [1][2]. The vulnerability affects JupyterLab versions prior to the fix introduced in commit 504825938c0abfa2fb8ff8d529308830a5ae42ed [3].
Exploitation
An attacker can create a specially crafted notebook containing a Markdown cell with a ` element that has a malicious action` attribute [1]. By combining this with HTML elements that trigger form events, the attacker can execute arbitrary JavaScript code in the context of the JupyterLab session [1]. The exploit requires user action: the victim must open the malicious notebook in JupyterLab [2]. No additional authentication or network position beyond normal access to the notebook is needed [1].
Impact
Successful exploitation results in remote code execution (RCE) with the privileges of the JupyterLab user [1]. The attacker can execute arbitrary JavaScript, which can then be used to run Python code on the kernel, access files, or compromise the entire Jupyter environment [1]. This leads to full compromise of the user's session and potential data exfiltration [1].
Mitigation
JupyterLab patched this vulnerability by removing the action attribute from `` tags during sanitization, as seen in commit 504825938c0abfa2fb8ff8d529308830a5ae42ed [3]. Users should upgrade to a fixed version (e.g., 3.1.4 or later) [4]. There is no known workaround other than not opening untrusted notebooks. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyterlabPyPI | < 1.2.21 | 1.2.21 |
jupyterlabPyPI | >= 2.0.0a0, < 2.2.10 | 2.2.10 |
jupyterlabPyPI | >= 2.3.0a0, < 2.3.2 | 2.3.2 |
jupyterlabPyPI | >= 3.0.0a0, < 3.0.17 | 3.0.17 |
jupyterlabPyPI | >= 3.1.0a0, < 3.1.4 | 3.1.4 |
notebookPyPI | < 5.7.11 | 5.7.11 |
notebookPyPI | >= 6.0.0, < 6.4.1 | 6.4.1 |
Affected products
6- osv-coords5 versionspkg:bitnami/jupyterlabpkg:pypi/jupyterlabpkg:pypi/notebookpkg:rpm/opensuse/python-jupyterlab&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/python-jupyterlab&distro=SUSE%20Package%20Hub%2015%20SP4
< 1.2.21+ 4 more
- (no CPE)range: < 1.2.21
- (no CPE)range: < 1.2.21
- (no CPE)range: < 5.7.11
- (no CPE)range: < 2.2.10-bp154.2.3.1
- (no CPE)range: < 2.2.10-bp154.2.3.1
- jupyterlab/jupyterlabv5Range: >= 3.1.0, < 3.1.4
Patches
1504825938c0aMerge pull request from GHSA-4952-p58q-6crx
1 file changed · +0 −1
packages/apputils/src/sanitizer.ts+0 −1 modified@@ -624,7 +624,6 @@ export class Sanitizer implements ISanitizer { font: ['color', 'face', 'size'], form: [ 'accept', - 'action', 'autocomplete', 'enctype', 'method',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4952-p58q-6crxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32797ghsaADVISORY
- github.com/google/security-research/security/advisories/GHSA-c469-p3jp-2vhxghsaWEB
- github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42edghsax_refsource_MISCWEB
- github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crxghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/jupyterlab/PYSEC-2021-130.yamlghsaWEB
News mentions
0No linked articles in our index yet.