HTML Sanitization Flaw in JupyterLab Enables Command Execution
CVE-2026-42557

8.6HIGH

Key Information:

Vendor: Jupyterlab
Status: Jupyterlab; Notebook
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42557?

An issue affecting JupyterLab prior to version 4.5.7, whereby the HTML sanitizer permits specific data attributes on button elements. This flaw allows CommandLinker to react to click events across the entire document, executing commands without confirming the trustworthiness of the initiating element. Consequently, a user could unknowingly trigger harmful commands, including executing arbitrary code, by interacting with a compromised notebook containing deceptive button elements.

Affected Version(s)

jupyterlab < 4.5.7

notebook >= 7.0.0, < 7.5.6

References

https://github.com/jupyterlab/jupyterlab/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42557 Data

JSON

Jupyterlab

What is CVE-2026-42557?

Affected Version(s)

References

CVSS V4

Timeline