Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
JupyterLab: Malicious buttons can execute code on user click
DEBIAN-CVE-2026-42557
Summary
JupyterLab, a popular interactive computing environment, had a security issue that allowed malicious buttons to execute code on a user's computer without their knowledge. This has been fixed in version 4.5.7. To stay secure, ensure you're running the latest version of JupyterLab.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:13 | debian | jupyterlab | All versions |
| Debian:14 | debian | jupyterlab | All versions |
Original title
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandli...
Original description
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.
osv CVSS4.0
9.9
- https://security-tracker.debian.org/tracker/CVE-2026-42557 Vendor Advisory
Published: 13 May 2026 · Updated: 14 May 2026 · First seen: 14 May 2026