JavaScript Execution Vulnerability in JupyterLab Git
CVE-2026-54527

9.3CRITICAL

Key Information:

Vendor

Jupyterlab

Vendor
CVE Published:
8 July 2026

What is CVE-2026-54527?

The JupyterLab Git extension contains a vulnerability that affects versions from 0.30.0b3 up to 0.54.0. The issue arises from the createHeader() method in PlainTextDiff.ts, which improperly handles Git filenames by passing them directly to innerHTML when rendering renamed files in the commit history. This flaw allows an attacker to craft a filename that executes arbitrary JavaScript when the victim views the corresponding rename diff in the Git History tab. Users are encouraged to upgrade to version 0.54.0, where this vulnerability has been addressed.

Affected Version(s)

jupyterlab-git >= 0.30.0b3, < 0.54.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.