Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: python313Packages.jupyterlab

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-42266
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    21 packages
    • python312Packages.jupyterlab-git
    • python312Packages.jupyterlab-lsp
    • python312Packages.jupyterlab-vim
    • python313Packages.jupyterlab-git
    • python313Packages.jupyterlab-lsp
    • python313Packages.jupyterlab-vim
    • python314Packages.jupyterlab-git
    • python314Packages.jupyterlab-lsp
    • python314Packages.jupyterlab-vim
    • python312Packages.jupyterlab-server
    • python313Packages.jupyterlab-server
    • python314Packages.jupyterlab-server
    • python312Packages.jupyterlab-widgets
    • python313Packages.jupyterlab-widgets
    • python314Packages.jupyterlab-widgets
    • python312Packages.jupyterlab-pygments
    • python313Packages.jupyterlab-pygments
    • python314Packages.jupyterlab-pygments
    • python312Packages.jupyterlab-execute-time
    • python313Packages.jupyterlab-execute-time
    • python314Packages.jupyterlab-execute-time
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

Affected products

jupyterlab
  • ==>= 4.0.0, < 4.5.7

Matching in nixpkgs

Ignored packages (21)

Package maintainers

Untriaged
Permalink CVE-2026-42557
8.6 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

Affected products

notebook
  • ==>= 7.0.0, < 7.5.6
jupyterlab
  • ==< 4.5.7

Matching in nixpkgs

pkgs.rednotebook

Modern journal that includes a calendar navigation, customizable templates, export functionality and word clouds

  • nixos-unstable 2.42
    • nixpkgs-unstable 2.42
    • nixos-unstable-small 2.42

pkgs.wolfram-notebook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

Package maintainers

Published
Permalink CVE-2026-40171
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    29 packages
    • rednotebook
    • wolfram-notebook
    • python312Packages.notebook-shim
    • python313Packages.notebook-shim
    • python314Packages.notebook-shim
    • python312Packages.jupyterlab-vim
    • python312Packages.jupyterlab-lsp
    • python312Packages.jupyterlab-git
    • python313Packages.jupyterlab-git
    • python313Packages.jupyterlab-lsp
    • python313Packages.jupyterlab-vim
    • python314Packages.jupyterlab-git
    • python314Packages.jupyterlab-lsp
    • python314Packages.jupyterlab-vim
    • python312Packages.pytest-notebook
    • python313Packages.pytest-notebook
    • python314Packages.pytest-notebook
    • python312Packages.jupyterlab-server
    • python313Packages.jupyterlab-server
    • python314Packages.jupyterlab-server
    • python312Packages.jupyterlab-widgets
    • python313Packages.jupyterlab-widgets
    • python314Packages.jupyterlab-widgets
    • python312Packages.jupyterlab-pygments
    • python313Packages.jupyterlab-pygments
    • python314Packages.jupyterlab-pygments
    • python312Packages.jupyterlab-execute-time
    • python313Packages.jupyterlab-execute-time
    • python314Packages.jupyterlab-execute-time
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker

In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

Affected products

notebook
  • ==>=7.0.0, <= 7.5.5
jupyterlab
  • ==<= 4.5.6
help-extension
  • ==>=7.0.0,<= 7.5.5
  • ==<=4.5.6

Matching in nixpkgs

Ignored packages (29)

pkgs.rednotebook

Modern journal that includes a calendar navigation, customizable templates, export functionality and word clouds

  • nixos-unstable 2.42
    • nixpkgs-unstable 2.42
    • nixos-unstable-small 2.42

pkgs.wolfram-notebook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

Package maintainers