HIGH 8.8 PyPI
GHSA-37w4-hwhx-4rc4 · BIT-jupyterlab-2026-42266, CVE-2026-42266 JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request
Modified: 5/27/2026
package
PyPI / jupyterlab
pkg:pypi/jupyterlab
HIGH 7.6 PyPI
GHSA-44cc-43rp-5947 · BIT-jupyter-base-notebook-2024-22421, BIT-jupyter-notebook-2024-22421 JupyterLab vulnerable to potential authentication and CSRF tokens leak
Modified: 2/20/2024
HIGH 7.4 PyPI
GHSA-4952-p58q-6crx · BIT-jupyterlab-2021-32797, CVE-2021-32797 JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
Modified: 3/13/2026
MEDIUM 6.5 PyPI
GHSA-4m77-cmpx-vjc4 · BIT-jupyter-base-notebook-2024-22420, BIT-jupyter-notebook-2024-22420 JupyterLab vulnerable to SXSS in Markdown Preview
Modified: 2/20/2024
HIGH 7.6 PyPI
GHSA-9q39-rmj3-p4r2 · BIT-jupyter-base-notebook-2024-43805, BIT-jupyter-notebook-2024-43805 HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
Modified: 8/30/2024
HIGH PyPI
GHSA-mqcg-5x36-vfcg · BIT-jupyter-base-notebook-2026-42557, BIT-jupyter-notebook-2026-42557 JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
Modified: 5/15/2026
LOW PyPI
GHSA-vvfj-2jqx-52jm · BIT-jupyterlab-2025-59842, CVE-2025-59842 JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Modified: 2/4/2026
— PyPI
PYSEC-2021-130 · BIT-jupyterlab-2021-32797, CVE-2021-32797 Modified: 12/6/2023
HIGH 8.8 PyPI
PYSEC-2026-164 · BIT-jupyterlab-2026-42266, CVE-2026-42266 Modified: 5/27/2026
HIGH npm PyPI
GHSA-rch3-82jr-f9w9 · BIT-jupyter-base-notebook-2026-40171, BIT-jupyter-notebook-2026-40171 Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS
Modified: 5/11/2026