CVE-2026-42557
Description
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyterlabPyPI | < 4.5.7 | 4.5.7 |
notebookPyPI | >= 7.0.0, < 7.5.6 | 7.5.6 |
Affected products
11>= 7.0.0, <= 7.5.5+ 1 more
- (no CPE)range: >= 7.0.0, <= 7.5.5
- cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*range: <4.5.7
- osv-coords8 versionspkg:apk/chainguard/datahub-ingestion-fipspkg:bitnami/jupyter-base-notebookpkg:bitnami/jupyterlabpkg:bitnami/jupyter-notebookpkg:pypi/jupyterlabpkg:pypi/notebookpkg:rpm/opensuse/python-jupyterlab&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-notebook&distro=openSUSE%20Tumbleweed
< 1.5.0.1-r2+ 7 more
- (no CPE)range: < 1.5.0.1-r2
- (no CPE)range: >= 7.0.0, < 7.5.6
- (no CPE)range: < 4.5.7
- (no CPE)range: >= 7.0.0, < 7.5.6
- (no CPE)range: < 4.5.7
- (no CPE)range: >= 7.0.0, < 7.5.6
- (no CPE)range: < 4.5.7-1.1
- (no CPE)range: < 7.5.6-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-mqcg-5x36-vfcgghsaADVISORY
- github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcgnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42557ghsaADVISORY
- jupyterlab.readthedocs.io/en/latest/user/commands.htmlghsaWEB
News mentions
0No linked articles in our index yet.