GHSA-mqcg-5x36-vfcg

Suggest an improvement
Source
https://github.com/advisories/GHSA-mqcg-5x36-vfcg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mqcg-5x36-vfcg/GHSA-mqcg-5x36-vfcg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mqcg-5x36-vfcg
Aliases
Related
Published
2026-05-06T21:43:44Z
Modified
2026-05-15T11:11:10.345567780Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
Details

JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user.

Impact

An attacker who shares a notebook or a Markdown file - via email, GitHub, or a Binder link - can invoke an arbitrary command upon a single click by the victim. The button can be rendered inside the output area and be visually indistinguishable from a legitimate widget. No kernel needs to start; the HTML output is stored in the notebook file and displayed immediately on open.

Single-click impact

An attacker convincing the victim to click on a single button or link can: - execute arbitrary code in the available kernels, - delete files leading to information loss; in principle the loss could be unrecoverable, depending on server configuration and attack complexity, - open multiple kernels/terminals at once, or create multiple files at once, putting significant stress on the server and thus deny availability for other users when using standalone multi-tenant jupyter-server deployment, and to a lesser degree impact availability on JupyterHub deployments.

The arbitrary code execution will be immediately visible to the user; and can be halted by the timely user intervention. The deletion of files can be silent and go unnoticed for some time.

Multi-click attacks

An attacker who convinces the victim to click on multiple buttons in specific order and to grant access to clipboard (or in scenarios where the user already granted keyboard access) can obtain full access to the terminal and execute arbitrary commands in the environment with access scope that might exceed that of available kernels. Only users of Chromium-based browsers are susceptible to this expanded variant of the attack.

The execution of commands in the terminal would be immediately visible to the user.

Impact of third-party extensions

The impact described above assumes a plain JupyterLab/Notebook installation. In environments with frontend extensions that contribute additional commands the attack surface is increased by the functionality covered by these commands.

Patches

JupyterLab 4.5.7

Workarounds

No workarounds are available for end-users.

Downstream applications inheriting from JupyterFrontEnd or JupyterLab can effectively disable the CommandLinker by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) option in the initialization options.

Hardening

The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:

{
  "@jupyterlab/apputils-extension:sanitizer": {
    "allowCommandLinker": false
  }
}

Resources

  • https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files
Database specific 
{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-05-13T16:16:48Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2026-05-06T21:43:44Z"
}
References

Affected packages

PyPI / jupyterlab

Package

Name
jupyterlab
View open source insights on deps.dev
Purl
pkg:pypi/jupyterlab

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.7

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.13
0.1.1
0.1.2
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.9.1
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.14.0
0.15.0
0.15.1
0.16.0
0.16.2
0.17.0
0.17.1
0.17.2
0.17.4
0.17.5
0.18.0.dev1
0.18.0
0.18.1
0.19.0
0.20.0rc1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0rc1
0.21.0rc2
0.21.0rc3
0.21.0rc4
0.21.0rc5
0.21.0
0.22.0rc0
0.22.0
0.22.1
0.23.0rc0
0.23.0rc1
0.23.0
0.23.1
0.23.2
0.24.0rc0
0.24.0rc1
0.24.0rc2
0.24.0
0.24.1
0.25.0rc0
0.25.0rc1
0.25.0
0.25.1
0.25.2rc0
0.25.2
0.26.0rc0
0.26.0rc1
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.27.0rc0
0.27.0rc1
0.27.0rc2
0.27.0rc3
0.27.0rc4
0.27.0rc5
0.27.0
0.27.1
0.27.2
0.28.0rc0
0.28.0rc1
0.28.0rc2
0.28.0rc3
0.28.0
0.28.1
0.28.2
0.28.3
0.28.4
0.28.5
0.28.6
0.28.7
0.28.8
0.28.10
0.28.11
0.28.12
0.28.13
0.28.14
0.28.15
0.29.0rc0
0.29.0
0.29.1
0.29.2
0.30.0rc0
0.30.0rc1
0.30.0
0.30.1
0.30.2
0.30.3
0.30.4
0.30.5
0.30.6
0.31.0rc0
0.31.0rc1
0.31.0rc2
0.31.0
0.31.1
0.31.2
0.31.3
0.31.4
0.31.5
0.31.6
0.31.7
0.31.8
0.31.9
0.31.10
0.31.11
0.31.12
0.32.0rc0
0.32.0rc1
0.32.0
0.32.1
0.33.0rc0
0.33.0rc1
0.33.0
0.33.1
0.33.2
0.33.3
0.33.4
0.33.5
0.33.6
0.33.7
0.33.8
0.33.9
0.33.10
0.33.11
0.33.12
0.34.0rc0
0.34.0rc1
0.34.0rc2
0.34.0
0.34.1
0.34.2
0.34.3
0.34.4
0.34.5
0.34.6
0.34.7
0.34.8
0.34.9
0.34.10
0.34.11
0.34.12
0.35.0rc0
0.35.0rc1
0.35.0rc2
0.35.0
0.35.1
0.35.2
0.35.3
0.35.4
0.35.5
0.35.6
1.*
1.0.0a0
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0a8
1.0.0a9
1.0.0a10
1.0.0rc0
1.0.0rc1
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.9
1.0.10
1.1.0a0
1.1.0a1
1.1.0a2
1.1.0rc0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0a0
1.2.0a1
1.2.0a2
1.2.0a3
1.2.0rc0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
2.*
2.0.0a0
2.0.0a1
2.0.0a3
2.0.0a4
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc0
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc0
2.0.1
2.0.2
2.1.0a0
2.1.0b0
2.1.0rc0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0a0
2.2.0a1
2.2.0rc1
2.2.0
2.2.1
2.2.2
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0a0
2.3.0a1
2.3.0a2
2.3.0rc0
2.3.0
2.3.1
2.3.2
3.*
3.0.0a0
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.0a7
3.0.0a8
3.0.0a9
3.0.0a10
3.0.0a11
3.0.0a12
3.0.0a13
3.0.0a14
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc0
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0rc5
3.0.0rc6
3.0.0rc7
3.0.0rc8
3.0.0rc9
3.0.0rc10
3.0.0rc11
3.0.0rc12
3.0.0rc13
3.0.0rc14
3.0.0rc15
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.1.0a0
3.1.0a1
3.1.0a2
3.1.0a3
3.1.0a4
3.1.0a5
3.1.0a6
3.1.0a7
3.1.0a8
3.1.0a9
3.1.0a10
3.1.0a11
3.1.0a12
3.1.0a13
3.1.0b0
3.1.0b1
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1
3.1.2
3.1.4
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.16
3.1.17
3.1.18
3.1.19
3.2.0a0
3.2.0a1
3.2.0b0
3.2.0rc0
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.3.0a1
3.3.0a2
3.3.0a3
3.3.0b0
3.3.0rc0
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0a0
3.4.0b0
3.4.0rc0
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.5.0a0
3.5.0b0
3.5.0rc0
3.5.0
3.5.1
3.5.2
3.5.3
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0b0
3.6.0rc0
3.6.0rc1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
4.*
4.0.0a0
4.0.0a1
4.0.0a3
4.0.0a4
4.0.0a6
4.0.0a7
4.0.0a8
4.0.0a9
4.0.0a10
4.0.0a11
4.0.0a12
4.0.0a13
4.0.0a14
4.0.0a15
4.0.0a16
4.0.0a17
4.0.0a18
4.0.0a19
4.0.0a20
4.0.0a21
4.0.0a22
4.0.0a23
4.0.0a24
4.0.0a25
4.0.0a26
4.0.0a27
4.0.0a28
4.0.0a29
4.0.0a30
4.0.0a31
4.0.0a32
4.0.0a33
4.0.0a34
4.0.0a35
4.0.0a36
4.0.0b0
4.0.0b1
4.0.0b2
4.0.0rc0
4.0.0rc1
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.1.0a1
4.1.0a2
4.1.0a3
4.1.0a4
4.1.0b0
4.1.0b1
4.1.0b2
4.1.0rc0
4.1.0rc1
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.0a0
4.2.0a1
4.2.0a2
4.2.0b0
4.2.0b1
4.2.0b2
4.2.0b3
4.2.0rc0
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.3.0a0
4.3.0a1
4.3.0a2
4.3.0b0
4.3.0b1
4.3.0b2
4.3.0b3
4.3.0rc0
4.3.0rc1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.4.0a0
4.4.0a1
4.4.0a2
4.4.0a3
4.4.0b0
4.4.0b1
4.4.0b2
4.4.0rc0
4.4.0rc1
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.5.0a0
4.5.0a1
4.5.0a2
4.5.0a3
4.5.0a4
4.5.0b0
4.5.0b1
4.5.0rc0
4.5.0rc1
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6

Database specific

last_known_affected_version_range 
"<= 4.5.6"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mqcg-5x36-vfcg/GHSA-mqcg-5x36-vfcg.json"

PyPI / notebook

Package

Name
notebook
View open source insights on deps.dev
Purl
pkg:pypi/notebook

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.5.6

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.0.8
7.1.0a0
7.1.0a1
7.1.0a2
7.1.0b0
7.1.0rc0
7.1.0rc1
7.1.0
7.1.1
7.1.2
7.1.3
7.2.0a0
7.2.0b0
7.2.0b1
7.2.0rc0
7.2.0rc1
7.2.0
7.2.1
7.2.2
7.2.3
7.3.0a0
7.3.0a1
7.3.0b0
7.3.0b1
7.3.0b2
7.3.0rc0
7.3.0
7.3.1
7.3.2
7.3.3
7.4.0a0
7.4.0a1
7.4.0a2
7.4.0a3
7.4.0b0
7.4.0b1
7.4.0b2
7.4.0b3
7.4.0rc0
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6
7.4.7
7.5.0a0
7.5.0a1
7.5.0a2
7.5.0a3
7.5.0b0
7.5.0b1
7.5.0rc0
7.5.0rc1
7.5.0
7.5.1
7.5.2
7.5.3
7.5.4
7.5.5

Database specific

last_known_affected_version_range 
"<= 7.5.5"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mqcg-5x36-vfcg/GHSA-mqcg-5x36-vfcg.json"