Stored Cross-Site Scripting Vulnerability in Jupyter Notebook and JupyterLab
CVE-2026-40171

8.4HIGH

Key Information:

Vendor: Jupyter
Status: Notebook; Help-extension; Jupyterlab
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40171?

In certain versions of Jupyter Notebook and JupyterLab, a stored cross-site scripting vulnerability exists within the help command linker. This flaw can be exploited by an attacker through maliciously crafted notebook files that mimic legitimate controls, prompting users to execute unintended actions. By successfully executing the attack, the attacker can steal the user's authentication tokens, potentially leading to full compromise of the Jupyter session via the REST API. This includes unauthorized file access, modification capabilities, and execution of arbitrary code. The issue has been addressed in the latest versions of the affected products, and users are advised to either disable the impacted help extensions or adjust configuration settings to mitigate risks.

Affected Version(s)

help-extension <=4.5.6

help-extension >=7.0.0,<= 7.5.5

jupyterlab <= 4.5.6

References

https://github.com/jupyter/notebook/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40171 Data

JSON