PyPI: jupyterlab
CVE-2026-40171
Safety vulnerability ID: SFTY-20260430-81856
Affected versions of the `@jupyter-notebook` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-generated content within notebook files. The notebook interface fails to adequately sanitize HTML and JavaScript content, allowing malicious scripts to be executed in the context of the user's session. An attacker can exploit this by crafting a notebook file with embedded scripts that, once opened by a user, execute and potentially steal authentication tokens or perform actions on behalf of the user, leading to account compromise.
Overview
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS
Advisory
@jupyter-notebook – Cross-site Scripting (XSS)
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260430-81856/CVE-2026-40171
- https://github.com/jupyterlab/jupyterlab/commit/5d9cb8c634e0
- https://github.com/jupyterlab/jupyterlab/commit/5d9cb8c634e081028ea6df4dd7149a1b1a84ec56
- https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9
- https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files
- https://nvd.nist.gov/vuln/detail/CVE-2026-40171
- https://github.com/advisories/GHSA-rch3-82jr-f9w9
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more