PyPI: jupyterlab
CVE-2026-42557
Safety vulnerability ID: SFTY-20260506-41258
Safety legacy ID: pyup.io-96413
Affected versions of the jupyterlab package are vulnerable to Improper Neutralisation of Input During Web Page Generation due to the HTML sanitiser allowlisting the data-commandlinker-command and data-commandlinker-args attributes on button elements while the CommandLinker handler executes the named command without verifying the origin of the click target. The CommandLinker registers a global click listener on document.body that dispatches whichever command is named in the data-commandlinker-command attribute of the clicked element, so a notebook or Markdown file containing a pre-saved HTML cell output with a deceptive button rendered in the output area is sufficient to invoke arbitrary JupyterLab commands without any code being submitted to a kernel. An attacker who shares a notebook or Markdown file via email, GitHub, or a Binder link can, on a single victim click, execute arbitrary code in available kernels, delete files, or spawn multiple kernels and terminals to exhaust server resources, and through a multi-click sequence that grants clipboard access on Chromium-based browsers can obtain full terminal access in the user environment.
Overview
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
Advisory
Affected versions of the jupyterlab package are vulnerable to Improper Neutralisation of Input During Web Page Generation due to the HTML sanitiser allowlisting the data-commandlinker-command and data-commandlinker-args attributes on button elements while the CommandLinker handler executes the named command without verifying the origin of the click target. The CommandLinker registers a global click listener on document.body that dispatches whichever command is named in the data-commandlinker-command attribute of the clicked element, so a notebook or Markdown file containing a pre-saved HTML cell output with a deceptive button rendered in the output area is sufficient to invoke arbitrary JupyterLab commands without any code being submitted to a kernel. An attacker who shares a notebook or Markdown file via email, GitHub, or a Binder link can, on a single victim click, execute arbitrary code in available kernels, delete files, or spawn multiple kernels and terminals to exhaust server resources, and through a multi-click sequence that grants clipboard access on Chromium-based browsers can obtain full terminal access in the user environment.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260506-41258/CVE-2026-42557
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42557
- https://data.safetycli.com/changelogs/jupyterlab/
- https://github.com/advisories/GHSA-mqcg-5x36-vfcg
- https://pypi.org/project/jupyterlab
- https://github.com/jupyterlab/jupyterlab/commit/5d9cb8c634e081028ea6df4dd7149a1b1a84ec56
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg
- https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files
- https://nvd.nist.gov/vuln/detail/CVE-2026-42557
- https://github.com/advisories/GHSA-mqcg-5x36-vfcg
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more