CVE Catalog

CVE-2026-42557

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

30th percentile — higher than 30% of all known CVEs

Summary

A vulnerability in JupyterLab before version 4.5.7 allows arbitrary JupyterLab commands to be executed via a crafted button in an HTML cell. The CommandLinker listens for click events on the entire document and executes commands without verifying the element's origin.

Risk Assessment

An attacker can exploit this vulnerability to execute arbitrary code in the victim's context, leading to session takeover, data theft, or further compromise of the infrastructure.

Recommendation

Upgrade JupyterLab to version 4.5.7 or later immediately to mitigate the vulnerability.

Original NVD description (English source)

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS