CVE-2026-42557— jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| jupyter | notebook | >= 7.0.0, < 7.5.6 | affected |
| jupyterlab | jupyterlab | < 4.5.7 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42557
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
Source: NVD (National Vulnerability Database)
Vulnerability Description
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
JupyterLab 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
JupyterLab是JupyterLab开源的一个用于交互式和可重复计算的可扩展环境,基于 Jupyter Notebook 和架构。 jupyterlab 4.5.7之前版本存在跨站脚本漏洞,该漏洞源于HTML清理器允许data-commandlinker-command和data-commandlinker-args属性,且CommandLinker监听所有点击事件,可能导致恶意笔记本单元格输出触发任意JupyterLab命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| jupyterlab | jupyterlab | < 4.5.7 | - | |
| jupyter | notebook | >= 7.0.0, < 7.5.6 | - |
II. Public POCs for CVE-2026-42557
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42557
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: jupyterlab
- CVE-2026-42266
jupyterlab: Extension Manager API/GUI Policy Discrepancy all - CVE-2025-59842
JupyterLab LaTeX typesetter links did not enforce `noopener` - CVE-2024-43805
HTML injection in Jupyter Notebook and JupyterLab leading to - CVE-2024-22420
Stored cross site scripting in Markdown Preview in JupyterLa - CVE-2024-22421
Potential authentication and CSRF tokens leak in JupyterLab
Same vendor: jupyterlab
- CVE-2026-42266
jupyterlab: Extension Manager API/GUI Policy Discrepancy all - CVE-2025-59842
JupyterLab LaTeX typesetter links did not enforce `noopener` - CVE-2025-30370
jupyterlab-git has a command injection vulnerability in "Ope - CVE-2024-43805
HTML injection in Jupyter Notebook and JupyterLab leading to - CVE-2024-39700
Remote Code Execution (RCE) vulnerability in jupyterlab exte
Same weakness: CWE-79
- CVE-2018-25331
Zenar Content Management System Cross-Site Scripting via aja - CVE-2021-47981
Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form - CVE-2021-47975
WordPress Plugin WP Learn Manager 1.1.2 Stored XSS - CVE-2021-47957
WordPress Plugin Cookie Law Bar 1.2.1 Stored XSS via clb_bar - CVE-2021-47955
CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload
V. Comments for CVE-2026-42557
No comments yet