VDB
KO
HIGH 7.4

PYSEC-2026-688

JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>

Details

### Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

### Patches

Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.

### References

[OWASP Page on Restricting Form Submissions](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)

### For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / notebook
Introduced in: 0 Fixed in: 5.7.11
Fix pip install --upgrade 'notebook>=5.7.11'

References