ГлавнаяУязвимости → CVE-2026-42557
9.6критическая

CVE-2026-42557

Описание

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

Затрагиваемое ПО
Jupyter JupyterlabJupyter Notebook
CVSS
Балл9.6 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Источники
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcghttps://access.redhat.com/security/cve/CVE-2026-42557https://bugzilla.redhat.com/show_bug.cgi?id=2477086https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42557.json